ciq-cherry-pick changes to adjust cve-bf commits that are cves as well

[roxanan1996]

Started from the need to detect if the cve-bf dependencies are cves and if so to adjust the commit message
accordingly. This lead to multiple changes, more or less needed to make it happen, and some that were adjacent fixes and code deduplication.

Example PR where this happened and someone has to intervene to fix it after the PR was created.

• [ciqlts9_6] Multiple patches tested (5 commits) kernel-src-tree#1075 (comment)

Example PR where it was flagged that a commit was a cve, even though that was rejected
ctrliq/kernel-src-tree#1116 (comment)

Main changes and the reason behind it:

1. added jira helpers in kt/ktlib/jira.py, needed to find the new jira ticket for the deps that are cves as well.
2. Added the actual logic to detect if the cve-bf are cves as well and adjust the commit message + update the jira ticket
   In case the cve-bf dependency is a cve and has a corresponding jira ticket,
   it would be left unassigned. Then the pr_jira_check.py would complain.
   In order to avoid this, and the "incomplete" logic of updating jira tickets
   only for cve-bf commits, ciq-cherry-pick.py now updates the jira tickets
   by default (for the initial CVE and for the dependencies that are CVEs),
   unless --jira-dry-run is being used. This way, we don't end up with a weird
   state where just one ticket is updated and the others are not.

Extra arguments were added:

• jira credentials because we now do jira queries
• vuln repo path to check if a CVE matches a commit
• jira-dry-run as described above

3. ciq_helpers is moved to kt/ktlib so we can import it in other projects as well (cve_remediation)
4. the cve_check used did not check if the cve was rejected or published. That's now fixed.

Commits

ciq_helpers.py: Add wrapper for run_cve_search to avoid duplication

1. Moved run_cve_search from check_kernel_commits.py to ciq_helpers.py
2. Created a wrapper that parses the output of run_cve_search and return the
cve number.
3. Used the wrapper instead of doing the same thing twice in check_kernel_commits.py

Bonus: This also reduces the level of identation in check_kernel_commits.

Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

kt: Move ciq_helpers.py to ktlib

Useful because kt is exposed as package and these helpers can be used
in multiple places, not only this repo.

Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

kt/ktlib: Introduce jira helpers

Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

kt/ktlib/ciq_helpers.py: Add helper that sets up the vuln repo

Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

ciq-cherry-pick.py: Check if cve-bf commits are actual cves

If so, use the proper tag and jira ticket (if it exists). If no jira ticket
is found, the original one will be used.

In case the cve-bf dependency is a cve and has a corresponding jira ticket,
it would be left unassigned. Then the pr_jira_check.py would complain.
In order to avoid this, and the "incomplete" logic of updating jira tickets
only for cve-bf commits, ciq-cherry-pick.py now updates the jira tickets
by default (for the initial CVE and for the dependencies that are CVEs),
unless --jira-dry-run is being used. This way, we don't end up with a weird
state where just one ticket is updated and the others are not.

Extra arguments were needed:
- jira credentials because we now do jira queries
- vuln repo path to check if a CVE matches a commit
- jira-dry-run as described above

Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

kt/ktlib/ciq_helpers: find matching cve only if the cve is published

CIQ_find_matching_cve returned the matching CVE even if it's rejected because
the cve_search script from the vuln repo does not check if the CVE is
published or rejected.

Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

kt: Add kernel_info command

It prints a json that matches the kernel information from kt/data/kernels.yml

Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

kt/ktlib/jira.py: Add helper to unassign tickets

Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

[Copilot]

Pull request overview

This PR enhances the CVE cherry-pick/backport tooling to detect when cve-bf dependencies are actually published CVEs, then adjusts commit tags/tickets accordingly and updates JIRA state. It also refactors CVE lookup/vulns repo setup into shared ktlib helpers and adds a small kt kernel_info command.

Changes:

• Add kt/ktlib/jira.py JIRA helper wrapper and integrate JIRA updates into ciq-cherry-pick.py.
• Move/deduplicate CVE lookup + vulns repo setup into kt/ktlib/ciq_helpers.py, and update call sites.
• Add kt kernel_info command to print kernel metadata from kt/data/kernels.yaml.

Reviewed changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
update_lt_spec.py	Switch import to kt.ktlib.ciq_helpers after helper move.
rolling-release-update.py	Switch import to kt.ktlib.ciq_helpers after helper move.
kt/ktlib/jira.py	New JIRA wrapper used by cherry-pick automation.
kt/ktlib/ciq_helpers.py	Add CVE search + “published CVE only” logic and vulns repo setup helper.
kt/commands/kernel_info/impl.py	Implement kernel info lookup + JSON output.
kt/commands/kernel_info/command.py	Add Click command wiring + help text.
ciq-cherry-pick.py	Add CVE-bf→CVE detection, JIRA ticket lookup, and JIRA updates.
check_kernel_commits.py	Use shared CVE lookup helper + published-only matching.
bin/kt	Register new kernel_info command.

Comments suppressed due to low confidence (1)

kt/ktlib/ciq_helpers.py:546

• Docstring typo: "errros" → "error" (and "Setups" → "Sets up") to keep documentation readable and professional.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.