feat(sbom): add Terraform .terraform.lock.hcl parser; ingest railiance repos

- ingest_sbom.py: parse .terraform.lock.hcl provider blocks (name, version); ecosystem stored as 'other' until terraform added to DB ENUM - Registered railiance-bootstrap + railiance-hosts under railiance domain - railiance-hosts ingested: 2 Terraform providers (hashicorp/template 2.2.0, hetznercloud/hcloud 1.52.0) - railiance-bootstrap: no lockfile (pure Ansible/shell — noted in convention) - sbom-convention_v0.1.md: add Terraform + Ansible rows to lockfile table; update registered repos status table Total SBOM: 422 packages across 2 repos (custodian + railiance-hosts) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-01 18:07:56 +01:00
parent 4c157d43a8
commit fae9151144
1 changed files with 35 additions and 0 deletions
--- a/scripts/ingest_sbom.py
+++ b/scripts/ingest_sbom.py
@@ -180,12 +180,47 @@ def _parse_cargo_lock(path: Path) -> list[dict]:
    ]


+def _parse_terraform_lock_hcl(path: Path) -> list[dict]:
+    """Parse .terraform.lock.hcl — extract Terraform provider name + version."""
+    entries = []
+    current_name: str | None = None
+    current_version: str | None = None
+
+    for line in path.read_text().splitlines():
+        stripped = line.strip()
+        # e.g.: provider "registry.terraform.io/hetznercloud/hcloud" {
+        m = re.match(r'^provider\s+"([^"]+)"\s*\{', stripped)
+        if m:
+            # Use full provider address as package_name, short name as display
+            full = m.group(1)
+            current_name = full  # e.g. "registry.terraform.io/hetznercloud/hcloud"
+            current_version = None
+        elif current_name is not None:
+            vm = re.match(r'version\s*=\s*"([^"]+)"', stripped)
+            if vm:
+                current_version = vm.group(1)
+            elif stripped == "}":
+                entries.append({
+                    "package_name": current_name,
+                    "package_version": current_version,
+                    "ecosystem": "other",   # "terraform" not yet in ENUM; tracked as other
+                    "license_spdx": None,
+                    "is_direct": True,
+                    "is_dev": False,
+                })
+                current_name = None
+                current_version = None
+
+    return entries
+
+
 _LOCKFILE_PARSERS = {
    "uv.lock": _parse_uv_lock,
    "requirements.txt": _parse_requirements_txt,
    "package-lock.json": _parse_package_lock_json,
    "yarn.lock": _parse_yarn_lock,
    "Cargo.lock": _parse_cargo_lock,
+    ".terraform.lock.hcl": _parse_terraform_lock_hcl,
 }

 # Directories that never contain project-level lockfiles