From 12feb80a98ea209c607140c63774663fac5b64ef Mon Sep 17 00:00:00 2001 From: tegwick Date: Wed, 18 Mar 2026 18:35:20 +0100 Subject: [PATCH] chore(sbom): add system-level tool manifest for railiance-infra Captures direct tool dependencies (terraform 1.9.5, sops 3.10.2, ansible, age, cloud-init) with SPDX licence identifiers. Low-confidence entries flagged for human verification. Co-Authored-By: Claude Sonnet 4.6 --- sbom-tools.yaml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 sbom-tools.yaml diff --git a/sbom-tools.yaml b/sbom-tools.yaml new file mode 100644 index 0000000..b29596a --- /dev/null +++ b/sbom-tools.yaml @@ -0,0 +1,42 @@ +# sbom-tools.yaml — system-level tool dependencies for railiance-infra +# Generated by sbom-capture-agent on 2026-03-12 +# Review each entry before committing. Entries with confidence: low need human verification. +# +# NOT included here (covered by other parsers): +# - Terraform providers → terraform/hetzner/.terraform.lock.hcl +# - Ansible Galaxy collections → ansible/requirements.yaml +tools: + - name: terraform + version: "1.9.5" # confidence: medium (README install example URL; constraint >= 1.7) + ecosystem: terraform + license_spdx: BSL-1.1 + is_direct: true + is_dev: false + + - name: ansible + version: null # confidence: low (README states >= 2.16; no pinned version found) + ecosystem: ansible + license_spdx: GPL-3.0-only + is_direct: true + is_dev: false + + - name: sops + version: "3.10.2" # confidence: high (README install example URL) + ecosystem: tool + license_spdx: MPL-2.0 + is_direct: true + is_dev: false + + - name: age + version: null # confidence: low (referenced in Makefile; installed via apt, no version pin) + ecosystem: tool + license_spdx: BSD-3-Clause + is_direct: true + is_dev: false + + - name: cloud-init + version: null # confidence: low (referenced for first-boot; version depends on server OS) + ecosystem: tool + license_spdx: Apache-2.0 + is_direct: false + is_dev: false