Add a pre-compress target/hook

[gustavoaca1997]

NuGet Product(s) Involved

dotnet.exe

The Elevator Pitch

As part of the efforts of including Software Bill of Materials (SBOM) generation into .NET, we need a target or hook that occurs right before the compression of the Nuget package's content, so that we can:

• Scan the content of the package.
• Generate and include the SBOM manifest.

By integrating SBOM generation into NuGet packages, we can provide developers with a transparent and comprehensive view of the components within their applications. This addition not only enhances security but also streamlines compliance and fosters trust within the developer community.

Additional Context and Details

Right now, the only way we have for adding a SBOM manifest into the Nuget package is by doing the following:

• Extracting the content of the package.
• Scan it and generate the SBOM manifest.
• Compress it again.

Ideally we could skip the unzip-zip part, and use a target that will let us scan the whole content of the package right before it's compressed. We would need a property with the path to the content. Something like this:

  <Target Name="GenerateSbomTarget" AfterTargets="PreCompress" Condition=" '$(GenerateSBOM)' ==  'true'" >

    <!-- Call the SBOM Task to generate a SBOM. -->
    <GenerateSbom
        BuildDropPath="$(PackageContentPath)"
        ...
    </GenerateSbom>
  </Target>

[Nigusu-Allehu]

There is an Epic tracking introduction of SBOMs to NuGet https://github.com/NuGet/Home/issues/12497