Over the past decade, cybersecurity regulations have become increasingly stringent, especially in specific industries like aviation, medical, and automotive. The new European law Cyber Resilience Act (CRA), published in December 2024 and set to take effect in December 2027, will extend these regulations to all remaining application fields.
A critical aspect of these regulations is the tracking of vulnerabilities. In this regard, a major milestone is the accurate tracing of the software bill of materials (SBOM) for all components of a product or system, which is integral to the DevSecOps process.
STM32Cube ecosystem is providing, since long, the SBOMs in all its deliverables. However, until now, such a document was made to be readable and printable by humans. To meet these demands, ST has partnered with Black Duck® to integrate machine-readable SBOMs into the STM32 software ecosystem. This collaboration leverages Black Duck’s software composition analysis tools to streamline the security management of software components through deep scanning, automated disclosure, and continuous monitoring.
Importance of SBOM
Complexity in modern systems:
Security shall be made for the end-to-end of a product. An industrial system, for example, is made of multiple electronic units communicating together, up to the cloud itself. One can easily imagine the number of software components included in such a system. To track vulnerabilities, this necessitates automated tools to manage SBOMs throughout the software life cycle.
Cybersecurity and vulnerability management:
Maintaining SBOMs helps in understanding, correcting, and communicating flaws, preparing updates, and managing cybersecurity vulnerabilities. It also involves tracking versioning, licensing models, and ownerships to manage liabilities and corrections.
To assist developers, STM32Cube now provides machine-readable SBOM documents, generated using BlackDuck® tools in the CycloneDX format and delivered under a .json unique file available for most software package.
CycloneDX is a modern ECMA standard (ECMA-424) for the software supply chain. The specification originates and is led by the OWASP Foundation, and supported by the global information security community.
Benefits of automated SBOMs
- Security development life cycle (SDLC): automated SBOMs are essential for regular and automated scanning of existing vulnerabilities. Although SBOMs are static documents for specific software versions, vulnerabilities can emerge over a product’s lifetime, necessitating regular analysis.
- Accuracy and exhaustiveness: automated processes ensure the accuracy and completeness of vulnerability management.
The first package proposing this SBOM in CycloneDX format is the STM32CubeU3 available for download on www.st.com.
The STM32U3 is the first STM32 MCU to use subthreshold design, a technique that drastically reduces dynamic power consumption. This innovative design allows the STM32U3 to achieve a market-leading efficiency with 117 Coremark/mW, making it 5 times more efficient than previous generations.
STM32CubeH7RS and STM32CubeN6 will also provide this SBOM within their next package release.
The deployment of SBOMs will continue across new packages and the entire STM32 ecosystem in the coming months.
Additional resources:
First published on March 6, 2025
