[Microsoft.Sbom.Targets] Microsoft.Sbom.Tool.exe not found, with MSBuild on .NET Framework

[KalleOlaviNiemitalo]

I tried adding the Microsoft.Sbom.Targets 2.2.8 package to a project (thus not using the upcoming feature https://github.com/dotnet/sdk/pull/43151) and setting some properties. With .NET SDK 8.0.304, dotnet build and dotnet pack work OK, and the resulting NuGet package contains an SBOM file (although it doesn't contain all the information I expected). However, packing in Visual Studio 2022 does not work:

[REDACTED]\.nuget\packages\microsoft.sbom.targets\2.2.8\buildMultiTargeting\Microsoft.Sbom.Targets.targets(57,5): error MSB6004: The specified task executable location "[REDACTED]\.nuget\packages\microsoft.sbom.targets\2.2.8\buildMultiTargeting\..\tasks\net472\sbom-tool\Microsoft.Sbom.Tool.exe" is invalid.

So it's apparently trying to execute the SBOM CLI Tool as described in https://github.com/microsoft/sbom-tool/pull/674#issue-2469238950:

2. SbomCLIToolTask.cs is invoked if the MSBuild version targets the "Full" (.NET Framework) runtime bundled with Visual Studio. Because the SBOM API does not support .NET Framework, this class utilizes the SBOM CLI Tool to generate an SBOM.

but the tool is not included in the package.

Originally posted by @KalleOlaviNiemitalo in https://github.com/microsoft/sbom-tool/issues/693#issuecomment-2340410911

[baronfel]

This is the other blocker for incusion in the .NET SDK IMO - we must be able to support Visual Studio. I believe this is just a packaging issue - the runtime publish outputs from the tool aren't in the package. With a bit of binlog investigation this should be doable.

[KalleOlaviNiemitalo]

AfterTargets="Build" here may be too late: https://github.com/microsoft/sbom-tool/blob/08ba73d303228eb4d92a6a5f75350d78230bca30/src/Microsoft.Sbom.Targets/Microsoft.Sbom.Targets.csproj#L46

Compare to how MSBuild adds files to a package: https://github.com/dotnet/msbuild/blob/e86e6dd2f4e45a433c444d732779d6e2e5f6c320/src/MSBuild/MSBuild.csproj#L234