ciq_tag: lib and command line tool to operate on CIQ commit tags

[pvts-mat]

About

A library and a command line tool to get, insert, modify and delete CIQ tags from commit messages.

Features:

• Pure python 3

• Minimal dependencies

  pip3 install more-itertools
  

  (can be avoided if required)

• Tools-indepentent

  • Operates on string level, doesn't call git underneath (or any other external commands for that matter).
  • Input / output can be a stdin / stdout or a file.

• Robust

  • Accounts for different alternative keywords found in the wild (cve-bf, cve-bugfix, cve-update, …)
  • Accounts for different keyword separators (space, :)
  • Deals with complex multiline tags like upstream-diff regardless of their formatting and indentation.

• Handling the formatting

  • Automatic wrapping / unwrapping of long tag values.
  • Indenting / unindenting the values
  • Auto controlling of the empty lines separating the tags from the rest of commit message, ensuring readability.

• Full-featured

  • All tools in place to operate on the commit's tags without editing the message by hand.
  • Values can be read from a file if some specific formatting is desired (eg. bullet points in the upstream-diff)
  • Support for multiple tags of the same type (eg. multiple jira tags).

• Extendable.

  • New tags or alternative spellings of keywords can be very easily added.

By encapsulating the tags editing operations this tool allows for automating those revision history maintenance tasks which previously had to be done by hand or with the use of ad-hoc greps and seds..

Examples

Adding tags

Input

$ git log --pretty=%B -n 1 94d10a4dba0bc482f2b01e39f06d5513d0f75742

sunrpc: handle SVC_GARBAGE during svc auth processing as auth error

tianshuo han reported a remotely-triggerable crash if the client sends a
kernel RPC server a specially crafted packet. If decoding the RPC reply
fails in such a way that SVC_GARBAGE is returned without setting the
rq_accept_statp pointer, then that pointer can be dereferenced and a
value stored there.

[…]

Output

$ git log --pretty=%B -n 1 94d10a4dba0bc482f2b01e39f06d5513d0f75742 \
  | ./ciq_tag.py add cve CVE-2025-38089

sunrpc: handle SVC_GARBAGE during svc auth processing as auth error

cve CVE-2025-38089

tianshuo han reported a remotely-triggerable crash if the client sends a
kernel RPC server a specially crafted packet. If decoding the RPC reply
fails in such a way that SVC_GARBAGE is returned without setting the
rq_accept_statp pointer, then that pointer can be dereferenced and a
value stored there.

[…]

Automatic tracking of the proper tags order

(jira tag should be before cve)

$ git log --pretty=%B -n 1 94d10a4dba0bc482f2b01e39f06d5513d0f75742 \
  | ./ciq_tag.py add cve CVE-2025-38089 \
  | ./ciq_tag.py add jira VULN-71607

sunrpc: handle SVC_GARBAGE during svc auth processing as auth error

jira VULN-71607
cve CVE-2025-38089

tianshuo han reported a remotely-triggerable crash if the client sends a
kernel RPC server a specially crafted packet. If decoding the RPC reply
fails in such a way that SVC_GARBAGE is returned without setting the
rq_accept_statp pointer, then that pointer can be dereferenced and a
value stored there.

[…]

Adding multiple instances of the same tag if necessary

$ git log --pretty=%B -n 1 94d10a4dba0bc482f2b01e39f06d5513d0f75742 \
  | ./ciq_tag.py add cve CVE-2025-38089 \
  | ./ciq_tag.py add jira VULN-71607 \
  | ./ciq_tag.py add jira VULN-70617

sunrpc: handle SVC_GARBAGE during svc auth processing as auth error

jira VULN-71607
jira VULN-70617
cve CVE-2025-38089

tianshuo han reported a remotely-triggerable crash if the client sends a
kernel RPC server a specially crafted packet. If decoding the RPC reply
fails in such a way that SVC_GARBAGE is returned without setting the
rq_accept_statp pointer, then that pointer can be dereferenced and a
value stored there.

[…]

Modifying existing tags

Input

$ git log --pretty=%B -n 1 be2f55fc817f6dfb1ca1d7cd267766764798c9f9

vsock: Orphan socket after transport release

jira VULN-53609
cve CVE-2025-21756
commit-author Michal Luczaj <mhal@rbox.co>
commit 78dafe1cf3afa02ed71084b350713b07e72a18fb
upstream-diff Indentation is different from upstream change because
              this kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke
              proto::close on close()").  Otherwise the change
              content is the same.

During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

[…]

Output

$ git log --pretty=%B -n 1 be2f55fc817f6dfb1ca1d7cd267766764798c9f9 \
  | ./ciq_tag.py modify cve CVE-2025-32867

vsock: Orphan socket after transport release

jira VULN-53609
cve CVE-2025-32867
commit-author Michal Luczaj <mhal@rbox.co>
commit 78dafe1cf3afa02ed71084b350713b07e72a18fb
upstream-diff Indentation is different from upstream change because
              this kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke
              proto::close on close()").  Otherwise the change
              content is the same.

During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

[…]

Return nonzero exit code if tag not found

(but produce the output unchanged)

$ git log --pretty=%B -n 1 be2f55fc817f6dfb1ca1d7cd267766764798c9f9 \
  | ./ciq_tag.py modify cve-pre CVE-2025-32867

vsock: Orphan socket after transport release

jira VULN-53609
cve CVE-2025-21756
commit-author Michal Luczaj <mhal@rbox.co>
commit 78dafe1cf3afa02ed71084b350713b07e72a18fb
upstream-diff Indentation is different from upstream change because
              this kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke
              proto::close on close()").  Otherwise the change
              content is the same.

During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

[…]

$ echo $?

1

Use set to insert anyway if not exist

This differs from add which would always insert the tag, while set first attempts to modify the existing one and only if that didn't succeed - to insert the new instance.

$ git log --pretty=%B -n 1 be2f55fc817f6dfb1ca1d7cd267766764798c9f9 \
  | ./ciq_tag.py set cve-pre CVE-2025-32867

vsock: Orphan socket after transport release

jira VULN-53609
cve CVE-2025-21756
cve-pre CVE-2025-32867
commit-author Michal Luczaj <mhal@rbox.co>
commit 78dafe1cf3afa02ed71084b350713b07e72a18fb
upstream-diff Indentation is different from upstream change because
              this kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke
              proto::close on close()").  Otherwise the change
              content is the same.

During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

[…]

Deleting tags

Input

$ git log --pretty=%B -n 1 be2f55fc817f6dfb1ca1d7cd267766764798c9f9

vsock: Orphan socket after transport release

jira VULN-53609
cve CVE-2025-21756
commit-author Michal Luczaj <mhal@rbox.co>
commit 78dafe1cf3afa02ed71084b350713b07e72a18fb
upstream-diff Indentation is different from upstream change because
              this kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke
              proto::close on close()").  Otherwise the change
              content is the same.

During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

[…]

Basic usage

$ git log --pretty=%B -n 1 be2f55fc817f6dfb1ca1d7cd267766764798c9f9 \
  | ./ciq_tag.py delete jira

vsock: Orphan socket after transport release

cve CVE-2025-21756
commit-author Michal Luczaj <mhal@rbox.co>
commit 78dafe1cf3afa02ed71084b350713b07e72a18fb
upstream-diff Indentation is different from upstream change because
              this kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke
              proto::close on close()").  Otherwise the change
              content is the same.

During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

[…]

Handling the multi-line properties well

$ git log --pretty=%B -n 1 be2f55fc817f6dfb1ca1d7cd267766764798c9f9 \
  | ./ciq_tag.py delete upstream-diff

vsock: Orphan socket after transport release

jira VULN-53609
cve CVE-2025-21756
commit-author Michal Luczaj <mhal@rbox.co>
commit 78dafe1cf3afa02ed71084b350713b07e72a18fb

During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

[…]

Clean all metadata

Shring the vertical separation if needed

$ git log --pretty=%B -n 1 be2f55fc817f6dfb1ca1d7cd267766764798c9f9 \
  | ./ciq_tag.py delete jira \
  | ./ciq_tag.py delete upstream-diff \
  | ./ciq_tag.py delete cve \
  | ./ciq_tag.py delete commit-author \
  | ./ciq_tag.py delete commit

vsock: Orphan socket after transport release

During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

[…]

Getting the values of tags

Input

$ git log --pretty=%B -n 1 be2f55fc817f6dfb1ca1d7cd267766764798c9f9

vsock: Orphan socket after transport release

jira VULN-53609
cve CVE-2025-21756
commit-author Michal Luczaj <mhal@rbox.co>
commit 78dafe1cf3afa02ed71084b350713b07e72a18fb
upstream-diff Indentation is different from upstream change because
              this kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke
              proto::close on close()").  Otherwise the change
              content is the same.

During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

[…]

Basic usage

$ git log --pretty=%B -n 1 be2f55fc817f6dfb1ca1d7cd267766764798c9f9 \
  | ./ciq_tag.py get cve

CVE-2025-21756

Return error if tag not found

$ git log --pretty=%B -n 1 be2f55fc817f6dfb1ca1d7cd267766764798c9f9 \
  | ./ciq_tag.py get cve-pre
$ echo ?$
1

Extract the raw upstream-diff

$ git log --pretty=%B -n 1 be2f55fc817f6dfb1ca1d7cd267766764798c9f9 \
  | ./ciq_tag.py get upstream-diff

Indentation is different from upstream change because
              this kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke
              proto::close on close()").  Otherwise the change
              content is the same.

Avoid the indentation

$ git log --pretty=%B -n 1 be2f55fc817f6dfb1ca1d7cd267766764798c9f9 \
  | ./ciq_tag.py get upstream-diff --dedent

Indentation is different from upstream change because
this kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke
proto::close on close()").  Otherwise the change
content is the same.

Unwrap the text to abstract from formatting where it get in the way

$ git log --pretty=%B -n 1 be2f55fc817f6dfb1ca1d7cd267766764798c9f9 \
  | ./ciq_tag.py get upstream-diff --unwrap

Indentation is different from upstream change because this kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke proto::close on close()").  Otherwise the change content is the same.

Handle also other multiline properties

Input:

$ git log --pretty=%B -n 1 a99ddaf06a3c93645b0b2ab435d5be584e63733d

x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto

jira LE-2015
cve CVE-2024-2201
Rebuild_History Non-Buildable kernel-5.14.0-427.42.1.el9_4
commit-author Josh Poimboeuf <jpoimboe@kernel.org>
commit 36d4fe147c870f6d3f6602befd7ef44393a1c87a
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-5.14.0-427.42.1.el9_4/36d4fe14.failed

Unlike most other mitigations' "auto" options, spectre_bhi=auto only
mitigates newer systems, which is confusing and not particularly useful.

[…]

Output:

$ git log --pretty=%B -n 1 a99ddaf06a3c93645b0b2ab435d5be584e63733d \
  | ./ciq_tag.py get Empty-Commit 

Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-5.14.0-427.42.1.el9_4/36d4fe14.failed

Autoformatting of values

Input

$ cat msg.txt

vsock: Orphan socket after transport release

jira VULN-53609
cve CVE-2025-21756
commit-author Michal Luczaj <mhal@rbox.co>
commit 78dafe1cf3afa02ed71084b350713b07e72a18fb

During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

[…]

Set upstream-diff right from the command line

$ cat msg.txt \
  | ./ciq_tag.py set --wrap upstream-diff 'Indentation is different from upstream change because this kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke proto::close on close()").  Otherwise the change content is the same.'

vsock: Orphan socket after transport release

jira VULN-53609
cve CVE-2025-21756
commit-author Michal Luczaj <mhal@rbox.co>
commit 78dafe1cf3afa02ed71084b350713b07e72a18fb
upstream-diff Indentation is different from upstream change because this
kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke proto::close on
close()").  Otherwise the change content is the same.

During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

[…]

Set indentation to a fixed value

$ cat msg.txt \
  | ./ciq_tag.py set --indent 4 --wrap upstream-diff 'Indentation is different from upstream change because this kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke proto::close on close()").  Otherwise the change content is the same.'

vsock: Orphan socket after transport release

jira VULN-53609
cve CVE-2025-21756
commit-author Michal Luczaj <mhal@rbox.co>
commit 78dafe1cf3afa02ed71084b350713b07e72a18fb
upstream-diff Indentation is different from upstream change because this
    kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke proto::close on
    close()").  Otherwise the change content is the same.

During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

[…]

Set indent to align with the keyword

$ cat msg.txt \
  | ./ciq_tag.py set --indent -1 --wrap upstream-diff 'Indentation is different from upstream change because this kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke proto::close on close()").  Otherwise the change content is the same.'

vsock: Orphan socket after transport release

jira VULN-53609
cve CVE-2025-21756
commit-author Michal Luczaj <mhal@rbox.co>
commit 78dafe1cf3afa02ed71084b350713b07e72a18fb
upstream-diff Indentation is different from upstream change because this
              kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke
              proto::close on close()").  Otherwise the change content
              is the same.

During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

[…]

Control the width

$ cat msg.txt \
  | ./ciq_tag.py set --indent -1 --wrap --wrap-width 50 upstream-diff 'Indentation is different from upstream change because this kernel lacks 135ffc7becc8 ("bpf, vsock: Invoke proto::close on close()").  Otherwise the change content is the same.'

vsock: Orphan socket after transport release

jira VULN-53609
cve CVE-2025-21756
commit-author Michal Luczaj <mhal@rbox.co>
commit 78dafe1cf3afa02ed71084b350713b07e72a18fb
upstream-diff Indentation is different from
              upstream change because this kernel
              lacks 135ffc7becc8 ("bpf, vsock:
              Invoke proto::close on close()").
              Otherwise the change content is the
              same.

During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

[…]

[pvts-mat]

No docs in the code - will be added if the tool finds acceptance. Same for the usage examples from the library POV

[roxanan1996]

I am not sure how often I would use this tool, except for maybe some mistakes like modifying the upstream-diff comment later. The rest of the tags should be automated.

But, I think the library would be very useful to improve the current tooling. Can you separate the library from the CLI tool to make things easier?

[roxanan1996]

pip3 install more-itertools

Add this as dependency in pyproject.toml. As explained here. I realized there's no readme with this, will add this soon.

And solve the formatting error in the pr_check.

[roxanan1996]

Will continue reviewing and testing tomorrow, but first the formatting has to be addressed.

[roxanan1996]

Any reason why this was implemented from scratch? Why not use argparse or even better click (https://click.palletsprojects.com/en/stable/)
I want to change all argparse usages to click, but haven't had the time.

[pvts-mat]

It is argparse. I didn't implement anything from scratch that wasn't implemented by argparse already. What I implemented was a translation from flexible data structures to inflexible argparse procedure calls.

With regards to click I didn't know about this tool. Maybe it provides what I needed, maybe not. I would have to evaluate it.

[roxanan1996]

I would use this as a param to the tool (the logging level)

[pvts-mat]

This would limit the log setting ability to the CLI tool only. What abut python modules which would be including this one?
Some switches might be provided, but the modules would have to be aware of them and consciously propagate end-user's logging level wish down to the library.
Environment variables cross the application-library barrier effortlessly, so the module's users don't have to deal with these settings. For example, a ciq_tag_user.py program may look like

#!/usr/bin/env python3

import ciq_tag

print(ciq_tag.add_tag("""
sunrpc: handle SVC_GARBAGE during svc auth processing as auth error

tianshuo han reported a remotely-triggerable crash if the client sends a
kernel RPC server a specially crafted packet. If decoding the RPC reply
fails in such a way that SVC_GARBAGE is returned without setting the
rq_accept_statp pointer, then that pointer can be dereferenced and a
value stored there.
""", ciq_tag.CiqTag.CVE, "CVE-2025-38089"))

and calling it as

LOGS=DEBUG ./ciq_tag_user.py

would show debug messages from the ciq_tag library without engaging ciq_tag_user.py in it.

If the programs using ciq_tag wished they may "plug" themselves into this LOGS variable logic as well, of course, so they recognize the logging level wanted by the end user in the same way. It is a form of very simple global logging setup, generally advised for python logging.

Having said that, the logging setup I did was really poor and lazy. Rewrote it.

[roxanan1996]

I would add comments inline the function with docstring.

[pvts-mat]

I would add the docstrings, but that's a bit of work. I wanted to see first if it's even worth it. Do you mind if we wait for others from the team to see if they even want this lib?

[roxanan1996]

I'll talk to them

[roxanan1996]

I haven't checked this properly, but my personal preference is to avoid multiple indents and do early returns if possible. What do you think?

[pvts-mat]

I guess we both want the code to look good. My criteria for code aesthetic is based on how well it exposes the behavioral complexity of an algorithm. Nested if/else statements make the task of answering key questions like "what are the conditions for function f to return value y?" as simple as taking the conjunction of conditions up the branching hierarchy from the picked exit point, while the existence of early returns necessitate mental code execution, which is prone to errors, takes more time and unnecessary effort.

This particular code also doesn't deal with eliminating error cases which the early returns seem to be most suited for.

[pvts-mat]

Thanks for looking into it @roxanan1996. Let me address the comments

I am not sure how often I would use this tool, except for maybe some mistakes like modifying the upstream-diff comment later. The rest of the tags should be automated.

But, I think the library would be very useful to improve the current tooling.

The library was the main goal. I wanted to create an abstraction layer over CIQ meta-data operations, hoping to reduce code duplication, wheel reinvention and the associated mental load. The development of the command line tool wasn't driven by some expected use cases, but rather guided by the principle of computational freedom. The aim was to transfer 1-to-1 the functionality of the library to the computation environment most natural and default for many tasks - the shell. I try not to mold the developed tools into imagined usecases because my imagination is limited and I do not wish to impose it on others.

Regarding the typical commit backporting workflow I don't think the tool is much useful, but it does open the door to automation of many kinds, which may be very useful in larger PRs like the recent netfilter one. For example, I could have kept all the metadata for the commits in some CSV table or any other structured form, where they would be much easier to manage, control and validate, then just "export" it to git commits as a branch. No upstream-diff would be missing then.

Additionaly the CLI frontend is very useful in testing the library, so I would have written it anyway.

Can you separate the library from the CLI tool to make things easier?

You mean the "things" here are the decision about what to keep and what to reject? Because if it's about usage then these two do not conflict in any way, you can import ciq_tag in python or ./ciq_tag.py in shell. I thought it's more concise and simple to keep them together. I may split it, but first I would need to know if CLI gets approval or not, otherwise there's no point - I would just drop it from ciq_tag.py.

[pvts-mat]

Add this as dependency in pyproject.toml. As explained here. I realized there's no readme with this, will add this soon.

And solve the formatting error in the pr_check.

Done.
Also simplified the main lib function API, converting positional arguments to keywords.

[roxanan1996]

Thanks for looking into it @roxanan1996. Let me address the comments

I am not sure how often I would use this tool, except for maybe some mistakes like modifying the upstream-diff comment later. The rest of the tags should be automated.

But, I think the library would be very useful to improve the current tooling.

The library was the main goal. I wanted to create an abstraction layer over CIQ meta-data operations, hoping to reduce code duplication, wheel reinvention and the associated mental load. The development of the command line tool wasn't driven by some expected use cases, but rather guided by the principle of computational freedom. The aim was to transfer 1-to-1 the functionality of the library to the computation environment most natural and default for many tasks - the shell. I try not to mold the developed tools into imagined usecases because my imagination is limited and I do not wish to impose it on others.

Regarding the typical commit backporting workflow I don't think the tool is much useful, but it does open the door to automation of many kinds, which may be very useful in larger PRs like the recent netfilter one. For example, I could have kept all the metadata for the commits in some CSV table or any other structured form, where they would be much easier to manage, control and validate, then just "export" it to git commits as a branch. No upstream-diff would be missing then.

Additionaly the CLI frontend is very useful in testing the library, so I would have written it anyway.

Can you separate the library from the CLI tool to make things easier?

You mean the "things" here are the decision about what to keep and what to reject? Because if it's about usage then these two do not conflict in any way, you can import ciq_tag in python or ./ciq_tag.py in shell. I thought it's more concise and simple to keep them together. I may split it, but first I would need to know if CLI gets approval or not, otherwise there's no point - I would just drop it from ciq_tag.py.

Yeah, completely agree, that's what I meant. It will help improving the existing tooling a lot.
And yesterday I ran into an issue where I had to modify the jira ticket for a commit, so the CLI tool may end up more useful than I thought. I see no issue with merging this, of course after proper review, but the idea is nice.

As for the separation, I think it's usually best practice to separate the lib and the tool, if we need to import the lib in another tool we have. I am 100% sure the lib would be used further, so it's just easier to do separate them now then in the future.

[roxanan1996]

I am a bit busy today. but I'll continue looking at this tomorrow.