Merge remote-tracking branch 'upstream/main'

moulalis · moulalis · commit d8bfbcd3eaca · 2026-01-29T20:08:18.000Z
diff --git a/ci/cached-builds/gha_pr_changed_files.py b/ci/cached-builds/gha_pr_changed_files.py
@@ -22,9 +22,12 @@ def get_github_token() -> str:
 def list_changed_files(from_ref: str, to_ref: str) -> list[str]:
     logging.debug("Getting list of changed files from git diff")
 
+    # Use three-dot diff to show changes from merge-base to to_ref
+    # This correctly shows only changes introduced by the PR, regardless of how much from_ref has advanced
+    # See: https://github.com/opendatahub-io/notebooks/issues/2875
     # https://github.com/red-hat-data-services/notebooks/pull/361: add -- in case to_ref matches a file name in the repo
     files = subprocess.check_output(
-        ["git", "diff", "--name-only", from_ref, to_ref, "--"], encoding="utf-8"
+        ["git", "diff", "--name-only", f"{from_ref}...{to_ref}", "--"], encoding="utf-8"
     ).splitlines()
 
     logging.debug(f"Determined {len(files)} changed files: {files[:100]} (..., printing up to 100 files)")
@@ -157,7 +160,7 @@ def test_list_changed_files(self):
 
     def test_get_build_directory(self):
         directory = get_build_directory("rocm-jupyter-pytorch-ubi9-python-3.12")
-        assert directory == "jupyter/rocm/pytorch/ubi9-python-3.11"
+        assert directory == "jupyter/rocm/pytorch/ubi9-python-3.12"
 
     def test_get_build_dockerfile(self):
         dockerfile = get_build_dockerfile("rocm-jupyter-pytorch-ubi9-python-3.12")
diff --git a/scripts/README.md b/scripts/README.md
@@ -66,6 +66,57 @@ Updates Dockerfile* blocks demarked using comment blocks of the form
 
 Run the script to to automatically update the block's content to be the same in all Dockerfiles everywhere.
 
+## sbom_analyze.py
+
+Analyze syft SBOM JSON files for CVE investigation. This script helps developers find where vulnerable packages are installed within container images by querying SBOM files from the manifest-box repository.
+
+See [docs/manifestbox.md](../docs/manifestbox.md) for detailed documentation on working with SBOMs.
+
+### Examples
+
+Find a specific package and its installation location:
+
+```sh
+python scripts/sbom_analyze.py sbom.json esbuild
+```
+
+Output:
+```
+=== Searching for 'esbuild' ===
+  Found 1 matching package(s):
+
+  esbuild@0.17.14
+    Type: npm
+    Found by: javascript-package-cataloger
+    Locations:
+      - /usr/lib/code-server/lib/vscode/extensions/php/package.json
+    PURL: pkg:npm/esbuild@0.17.14
+```
+
+Get SBOM metadata (source image, version, distro):
+
+```sh
+python scripts/sbom_analyze.py sbom.json --info
+```
+
+Summarize packages by ecosystem type:
+
+```sh
+python scripts/sbom_analyze.py sbom.json --summary
+```
+
+Find all packages at a specific path:
+
+```sh
+python scripts/sbom_analyze.py sbom.json --path /code-server/
+```
+
+Output as JSON for scripting:
+
+```sh
+python scripts/sbom_analyze.py sbom.json esbuild --json
+```
+
 ## buildinputs/
 
 CLI tool written in Go that computes the list of input files required to build a Dockerfile.
diff --git a/scripts/sbom_analyze.py b/scripts/sbom_analyze.py
