[ci] Include build components in SBOM

build-tools/automation/azure-pipelines.yaml

@@ -452,12 +452,73 @@ stages:
   - dotnet_prepare_release
   condition: and(eq(variables['MicroBuildSignType'], 'Real'), eq(dependencies.dotnet_prepare_release.result, 'Succeeded'))
   jobs:
-  - template: compliance/sbom/job.v1.yml@yaml-templates
-    parameters:
-      artifactNames: [ nuget-signed, nuget-linux-signed, vs-msi-nugets, vsdrop-signed ]
-      packageName: xamarin-android
-      packageFilter: '*.nupkg;*.msi'
-      GitHub.Token: $(GitHub.Token)
+  - job: sbom
+    displayName: Generate SBOM
+    timeoutInMinutes: 60
+    pool:
+      name: AzurePipelines-EO
+      demands:
+      - ImageOverride -equals AzurePipelinesWindows2022compliant
+    variables:
+      Packaging.EnableSBOMSigning: true
+    workspace:
+      clean: all
+    steps:
+    - checkout: self
+      submodules: recursive
+
+    - task: DownloadPipelineArtifact@2
+      inputs:
+        artifactName: nuget-signed
+        downloadPath: $(Build.StagingDirectory)\packages
+        patterns: '*.nupkg'
+
+    - task: DownloadPipelineArtifact@2
+      inputs:
+        artifactName: nuget-linux-signed
+        downloadPath: $(Build.StagingDirectory)\packages
+        patterns: '*.nupkg'
+
+    - task: DownloadPipelineArtifact@2
+      inputs:
+        artifactName: $(WindowsToolchainPdbArtifactName)
+        downloadPath: $(Build.StagingDirectory)\packages
+
+    - task: DownloadPipelineArtifact@2
+      inputs:
+        artifactName: vs-msi-nugets
+        downloadPath: $(Build.StagingDirectory)\packages
+        patterns: '*.nupkg'
+
+    - task: DownloadPipelineArtifact@2
+      inputs:
+        artifactName: vsdrop-signed
+        downloadPath: $(Build.StagingDirectory)\packages
+        patterns: '*.msi'
+
+    - task: DownloadPipelineArtifact@2
+      inputs:
+        artifactName: vsdrop-multitarget-signed
+        downloadPath: $(Build.StagingDirectory)\packages
+        patterns: '*.msi'
+
+    - task: DownloadPipelineArtifact@2
+      inputs:
+        artifactName: sbom-components-macos
+        downloadPath: $(Build.StagingDirectory)\sbom\components-macos
+
+    - task: DownloadPipelineArtifact@2
+      inputs:
+        artifactName: sbom-components-linux
+        downloadPath: $(Build.StagingDirectory)\sbom\components-linux
+
+    - template: compliance/sbom/scan.v1.yml@yaml-templates
+      parameters:
+        dropDirectory: $(Build.StagingDirectory)\packages
+        componentsDirectory: $(Build.StagingDirectory)\sbom
+        manifestDirectory: $(Build.StagingDirectory)\sbom
+        packageName: .NET Android
+        packageVersionRegex: '(?i)^Microsoft.*\.(?<version>\d+\.\d+\.\d+(-.*)?\.\d+).nupkg$'
 
 # Check - "Xamarin.Android (Compliance)"
 - template: security/full/v0.yml@yaml-templates

build-tools/automation/yaml-templates/build-linux.yaml

@@ -85,6 +85,29 @@ stages:
         artifactName: ${{ parameters.nugetArtifactName }}
         targetPath: $(System.DefaultWorkingDirectory)/xamarin-android/bin/Build$(XA.Build.Configuration)/nuget-linux
 
+    - powershell: |
+        [IO.Directory]::CreateDirectory("$(Build.StagingDirectory)/empty")
+        [IO.Directory]::CreateDirectory("$(Build.StagingDirectory)/sbom-components")
+      displayName: create SBOM directories
+      condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
+
+    - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
+      displayName: generate components SBOM
+      condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
+      inputs:
+        BuildDropPath: $(Build.StagingDirectory)/empty
+        BuildComponentPath: $(System.DefaultWorkingDirectory)/xamarin-android
+        ManifestDirPath: $(Build.StagingDirectory)/sbom-components
+        PackageName: .NET Android
+        Verbosity: Verbose
+
+    - task: PublishBuildArtifacts@1
+      displayName: publish components SBOM
+      condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
+      inputs:
+        artifactName: sbom-components-linux
+        pathToPublish: $(Build.StagingDirectory)/sbom-components
+
     - template: upload-results.yaml
       parameters:
         xaSourcePath: $(System.DefaultWorkingDirectory)/xamarin-android

build-tools/automation/yaml-templates/build-macos.yaml

@@ -60,6 +60,29 @@ stages:
       parameters:
         condition: and(succeededOrFailed(), eq(variables['MicroBuildSignType'], 'Real'))
 
+    - powershell: |
+        [IO.Directory]::CreateDirectory("$(Build.StagingDirectory)/empty")
+        [IO.Directory]::CreateDirectory("$(Build.StagingDirectory)/sbom-components")
+      displayName: create SBOM directories
+      condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
+
+    - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
+      displayName: generate components SBOM
+      condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
+      inputs:
+        BuildDropPath: $(Build.StagingDirectory)/empty
+        BuildComponentPath: $(System.DefaultWorkingDirectory)/xamarin-android
+        ManifestDirPath: $(Build.StagingDirectory)/sbom-components
+        PackageName: .NET Android
+        Verbosity: Verbose
+
+    - task: PublishBuildArtifacts@1
+      displayName: publish components SBOM
+      condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
+      inputs:
+        artifactName: sbom-components-macos
+        pathToPublish: $(Build.StagingDirectory)/sbom-components
+
     - script: >
         mkdir -p $(System.DefaultWorkingDirectory)/xamarin-android/bin/Build$(XA.Build.Configuration)/windows-toolchain-pdb &&
         cd $(System.DefaultWorkingDirectory)/xamarin-android/bin/$(XA.Build.Configuration)/lib/packs/Microsoft.Android.Sdk.Darwin/*/tools/binutils/windows-toolchain-pdb &&