Syft does not generate purl for Terraform packages

[Ajit-15]

What happened: When using Syft to generate an SBOM from a .terraform.lock.hcl file, the resulting SBOM does not include purl (Package URL) values for the Terraform packages. The purl field is empty for all entries derived from the lock file.

What you expected to happen: Syft should populate the purl field for Terraform packages in the SBOM, similar to how it does for other ecosystems

Steps to reproduce the issue: Create a Terraform project and run terraform init to generate .terraform.lock.hcl.
Run Syft scan dir:. --scope AllLayers -o json> ./Syft-output.json
purl fields are empty for all Terraform packages.

Environment:

• Output of syft version: syft_1.37.0_windows_amd64
• OS (e.g: cat /etc/os-release or similar): windows

[kzantow]

Today, we don't have a clear answer how to construct PURLs for modules vs. providers. See: package-url/purl-spec#369

We should probably wait until there is guidance, maybe if this PR merges: package-url/purl-spec#498