2025-07-13 10:15 PM
I had a look at the published SBOMs for Series like STM32U5
So I am wondering if ST has published any information about how we would use these BlackDuck-Component IDs? Is any information about these public, or is it an ST internal ID or do I need any subscription with BlackDuck to make a sense of it?
Have you considered assigning CPEs or PURLs for all the packages in the Stm32cube package?
2025-07-15 2:53 AM
Hello @stratom,
ST leverages Black Duck to guarantee security and traceability of open source components with a pragmatic approach tailored to our packaging.
The BlackDuck-Component IDs are automatically generated by the Black Duck tool used by ST to manage and track vulnerabilities. These IDs are standard references from the Black Duck platform, not internal ST identifiers.
Regarding PURLs, most ST components are distributed within complete packages downloadable from st.com, so providing individual PURLs is not relevant.
As for CPEs, they are not assigned to ST components because these components do not correspond to products listed in public CPE databases.
I hope my answer has helped you. When your question is answered, please select this topic as the solution that answered you, as it will help others find that answer faster.
Thanks for your contribution.
Dor_RH
2025-07-15 6:37 AM
Thanks!
Yes I agree PURL are great for opensource projects and packages and not a good fit for proprietary packages.
Do I understand it correctly that ST sees STM32CubeXYZ (e.g. STM32CubeWB0) one component?
So in case there are is a vulnerability in the BLE stack of STM32WB0 "cpe:2.3:a:st:stm32cubewb0:-:*:*:*:*:*:*:*" (with known versions instead of the dash) would normally be listed as affected software configuration? And in CVE-2020-20949 I also see "cpe:2.3:a:st:stm32cubemx:-:*:*:*:*:*:*:*" as a catch all, but given the loose coupling to HAL/etc. it is also not really practical.
I am also aware of the list in https://www.st.com/content/st_com/en/about/security-and-privacy/psirt.html . Do you have any other recommendations a project that includes a few ST libraries - like zephyr- , could use to automatically check for any vulnerabilities in it's ST related dependencies.
2025-07-29 2:14 AM
Hello @stratom,
STM32CubeXYZ are delivered with a SBOM corresponding to the list of components used inside the package.
Vulnerability scanning tools can be run on the package SBOM.
ST does not provide such a tool, currently.
I hope my answer has helped you. When your question is answered, please select this topic as the solution that answered you, as it will help others find that answer faster.
Thanks for your contribution.
Dor_RH