Enable SPDX 3.0 SBOM generation for maps-android, common and gl-native (#10692)

## Summary

Fixes https://mapbox.atlassian.net/browse/MAPSAND-2574

Requires:
* sdk-registry gradle plugin 1.5.5
  * https://github.com/mapbox/mapbox-android-gradle-plugins/pull/126
  * https://github.com/mapbox/mapbox-android-gradle-plugins/pull/127
  * https://github.com/mapbox/mapbox-android-gradle-plugins/pull/129
  * https://github.com/mapbox/mapbox-android-gradle-plugins/pull/130
  * https://github.com/mapbox/mapbox-android-gradle-plugins/pull/131
  * https://github.com/mapbox/mapbox-android-gradle-plugins/pull/132
* mapbox/api-downloads#5021 (api-downloads file
whitelist update)

Enables SPDX 3.0 SBOM generation for `maps-android`, `common`, and
`gl-native`:

- `sbom = true` and `nativeSbomPath` configured in `common` and
`gl-native`
- `sbom = true` configured in all publishable `maps-android` modules via
the convention plugin
- Native C++ dependencies from committed
`LICENSE-Android.packages.sbom.json` files are merged into the SBOM with
`CONTAINS` relationships
- Top-level modules auto-discover native SBOMs from transitive
dependencies via Maven sibling files, HTTP download, and included-build
markers
- Generated SBOMs are validated against the SPDX 3.0.1 spec via
recursive `document.verify()`
- `downloadLocation` uses eventual Maven hosting URLs (`api.mapbox.com`)
instead of `file://` or `NOASSERTION`
- Updated sdk-registry plugin to **1.5.5** across common, gl-native, and
maps-android

## SBOM Scripts

Added to `scripts/sbom/`:

| Script | Description |
|---|---|
| `download-sboms.sh` | Download SBOMs for common, gl-native,
maps-android (all 19 modules), and nav-sdk-cpp modules from
`api.mapbox.com` |
| `download-nav-sboms.sh` | Download SBOMs for all Navigation SDK
modules, both NDK23 and NDK27 variants |
| `validate-sboms.py` | Validate SPDX 3.0 SBOMs: structural validity,
reference integrity, native containment, dep chain, baseline comparison
|

Usage:
```bash
# Download and validate maps-android SBOMs for a snapshot
./download-sboms.sh 21.0 SNAPSHOT-03-18--08-03.git-47b23fe -y
./validate-sboms.py sboms/SNAPSHOT-03-18--08-03.git-47b23fe --baseline baseline/baseline-SNAPSHOT-03-17--12-31.git-162f121.json
```

## CI Pipeline Flow

```mermaid
flowchart TD
    subgraph common["common (included build)"]
        C1["Build common AAR"] --> C2["publishToMavenLocal"]
        CN["LICENSE-Android.packages.sbom.json<br/>(11 native C++ packages)"]
        C2 --> C3["generateSpdx3ForRelease"]
        CN -.->|"nativeSbomPath (direct)"| C3
        C3 --> C4["mapboxSDKRegistryUpload"]
    end

    subgraph glnative["gl-native (includes common)"]
        G1["Build gl-native AAR"] --> G2["publishToMavenLocal"]
        GN["LICENSE-Android.packages.sbom.json<br/>(56 native C++ packages)"]
        G2 --> G3["generateSpdx3ForRelease"]
        GN -.->|"nativeSbomPath (direct)"| G3
        C3 -.->|"included-build marker"| G3
        G3 --> G4["mapboxSDKRegistryUpload"]
    end

    subgraph maps["maps-android"]
        M0["Download ~/.m2 from common + gl-native"] --> M1["publishToMavenLocal"]
        M1 --> M2["generateSpdx3ForRelease<br/>(maven-sibling discovery)"]
        M2 --> M3["mapboxSDKRegistryUpload"]
    end

    C4 -->|"~/.m2 workspace"| M0
    G4 -->|"~/.m2 workspace"| M0
```

### Native SBOM Discovery Strategies

| Strategy | Used by | Description |
|---|---|---|
| `nativeSbomPath` (direct) | common, gl-native | Committed
`LICENSE-Android.packages.sbom.json` read directly |
| included-build marker | gl-native | common's native SBOM discovered
via marker file written during configuration |
| maven-sibling | maps-android | Native SBOM classifier files found next
to AARs in `~/.m2` |

In CI, `~/.m2` workspace artifacts are transferred between jobs so
maps-android can discover native SBOMs from common and gl-native via
sibling file lookup.

## Test Plan

- [x] `generateSpdx3ForRelease` succeeds for common, gl-native, and
maps-android in local builds
- [x] SPDX 3.0.1 validation passes for all generated SBOMs
- [x] Native C++ packages appear with correct CONTAINS relationships
(common: 11 pkgs, gl-native: 65 pkgs)
- [x] `downloadLocation` URLs use `api.mapbox.com` format
- [x] CI snapshot `SNAPSHOT-03-18--08-03.git-47b23fe`: **16/16 SBOMs
fully valid** (vs 8/16 with 1.5.2)
- [x] Verify SBOM files are included in S3 upload alongside AARs in CI
- [x] Local dry-run: all 19 maps-android modules present in
`combined-aws-s3-cp-commands.txt` with no duplicates (validates 1.5.5
race condition fix)

cc @mapbox/core-sdk
cc @mapbox/maps-android
cc @mapbox/sdk-platform
cc @mapbox/gl-native

GitOrigin-RevId: 71aff23c3101959e5c36452f34e015f6e7d2acb1

Author: pengdev

CHANGELOG.md

@@ -8,6 +8,7 @@ Mapbox welcomes participation and contributions from everyone.
 ## Bug fixes 🐞
 * Fix native memory leak in `AnnotationManager` where bitmap style images were not removed onDestroy.
 
+
 # 11.20.1 March 17, 2026
 ## Dependencies
 * Update gl-native to [v11.20.1](https://github.com/mapbox/mapbox-maps-android/releases/tag/v11.20.1), common to [v24.20.1](https://github.com/mapbox/mapbox-maps-android/releases/tag/v11.20.1).

build.gradle.kts

@@ -1,5 +1,6 @@
 buildscript {
   repositories {
+    mavenLocal()
     google()
     mavenCentral()
     maven {

gradle/libs.versions.toml

@@ -18,7 +18,7 @@ pluginJacoco = "0.8.12"
 pluginGradle = "8.10.1"
 pluginLicense = "0.9.0"
 pluginMapboxAccessToken = "0.4.0"
-pluginMapboxSdkRegistry = "1.4.3"
+pluginMapboxSdkRegistry = "1.5.5"
 pluginMapboxSdkVersions = "1.1.3"
 pluginMapboxNdk = "0.2.0"
 pluginTaskTree = "2.1.0"

mapbox-convention-plugin/build.gradle.kts

@@ -1,4 +1,5 @@
 repositories {
+  mavenLocal()
   google()
   mavenCentral()
   maven {

mapbox-convention-plugin/src/main/kotlin/com/mapbox/maps/gradle/plugins/extensions/MapboxPublishLibraryExtension.kt

@@ -255,6 +255,8 @@ constructor(objects: ObjectFactory) {
             publishMessage = this@MapboxPublishLibraryExtension.publishMessage
             publications = arrayOf(currentComponent.name)
             excludeFromRootProject = this@MapboxPublishLibraryExtension.excludeFromRootProject
+            sbom = true
+            sbomSupplier = "Mapbox"
           }
         }
       }