Does this work on Visual Basic 6.0 app?

[Almarine-James]

My organization is now requiring SBOM's regardless of how ancient the software is. We have a massive legacy ERP system written in VB 6.0 stored in a SourceAnywhere for VSS repository. I'm trying to find an SBOM tool that will work on this code. Will this tool do the trick? If not, does anyone have any other ideas regarding SBOM tools that may work on this code?

[jalkire]

Hi @Almarine-James, the SBOM tool is able to scan built files generically, regardless of framework. In order to detect packages, the component detection library needs to support your environment--you can find more info about its features here.

[birchsr]

Hi @Almarine-James I'm in the same boat as you, with a few smaller vb6 based tools that ship in a single package, and we are (too) being forced down this route. I have tried to get this tool working, but it doesn't detect VB6 based ".vbp" based projects/modules (component detector ID's are all 0). If you get this working, can you give me a shout please! in the meantime I'm wearing google out with searching for alternatives.

[SimonvanAs]

No luck so far, in the same position as both @birchsr and @Almarine-James. Do get output from the tool (see below), but the VB6 package is not included or mentioned as it is not part of the 'component detection' package. Have you found anything that does creates an VB6 app SBoM? Also got the tip to check with Checkmarx, haven't come round to test that; one of you did perhaps?

[SimonvanAs]

Created an issue with the 'component-detection' GitHub to ask for the VB6 support

[DaveTryon]

@SimonvanAs, your VB6 request (https://github.com/microsoft/component-detection/issues/1088) has been waiting for your input since May 15th, 2024. Just nudging you here and capturing the link to the open request. Sbom-tool won't be able to support VB6 until it's added to component-detection

[DaveTryon]

@birchsr and @Almarine-James, please feel free to jump in on https://github.com/microsoft/component-detection/issues/1088 to help drive this issue in component-detection.

[Gilesey]

Similarly, I've just tried this for the first time on my large C++ and C#.net (4.8 framework) project which does not use package managers. I pointed it at the code folder which included the built binaries too, claims to have found 500 items, 99% of which I do not recognize as valid, but when I search the results for JS and C# components I know i've referenced (like Aspose, or GoogleMaps), they aren't listed. Is this tool supposed to work properly with .Net framework c#, or vcxproj that aren't using package managers?

[DaveTryon]

@Gilesey, SBOM's will contain 2 set of data:

• The files section will detail all of the files under the location specified by the BuildDropPath argument (see https://github.com/microsoft/sbom-tool/blob/main/docs/sbom-tool-arguments.md). You would normally point this at your bin folder where your compiled bits land, but if this folder includes other folders that you don't ship (test code, for instance), then you may need to add a step to copy just the files you ship to folder, and specify that folder as the BuildDropPath argument.
• The packages section will detail all packages that are detected by the https://github.com/microsoft/component-detection package that we consume. Your question seems to be more related to this section of the SBOM, so you'll want to check their docs and issues.

If you have additional questions, please open a separate issue--this issue is specifically about VB6 support and it's really hard to track multiple threads in a single issue.

[DaveTryon]

Closing this issue for now, as there has been no activity on the VB6 question for 5 months.