[Microsoft.Sbom.Targets] Doesn't find files in Artifacts output layout

[KalleOlaviNiemitalo]

Microsoft.Sbom.Targets 2.2.8 doesn't find the names of referenced NuGet packages when I use it with .NET SDK 8.0.304 in a project that specifies artifacts output layout in Directory.Build.props:

  <PropertyGroup>
    <UseArtifactsOutput>true</UseArtifactsOutput>
    <ArtifactsPath>$(MSBuildThisFileDirectory).artifacts</ArtifactsPath>
  </PropertyGroup>

Specifically, the NuGet and NuGetProjectCentric component detectors do not detect any components in this case.

The component detectors search for files such as project.assets.json in $(SbomGenerationBuildComponentPath), whose default value is $(MSBuildProjectDirectory) here:

sbom-tool/src/Microsoft.Sbom.Targets/Microsoft.Sbom.Targets.targets

Line 20 in 08ba73d

<SbomGenerationBuildComponentPath Condition=" '$(SbomGenerationBuildComponentPath)' == '' ">$(MSBuildProjectDirectory)</SbomGenerationBuildComponentPath>

When the artifacts output layout is used, project.assets.json is not within $(MSBuildProjectDirectory) so it is not found during component detection.

It seems I can work around the incompatibility by setting <SbomGenerationBuildComponentPath>$(BaseIntermediateOutputPath)</SbomGenerationBuildComponentPath>, but I'm not sure whether that could break something else. Perhaps it'll break detection of third-party non-NuGet components that have been copied into the project source directory.

Fixing this properly may require changing https://github.com/microsoft/component-detection/ so that the artifacts path can be passed as a separate parameter and each component detector can then decide whether to search for files in the source directory, in the artifacts directory, or both.

Originally posted by @KalleOlaviNiemitalo in #693 (comment)