FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Package SBOMs Black Duck

stratom
Associate III

‎2025-07-13 10:15 PM

I had a look at the published SBOMs for Series like STM32U5

  • They all include the the package name, license, sometimes a supplier.
  • And all have a BlackDuck-Component and BlackDuck-ComponentVersion.
  • Hower, only a few external components have a cpe or purl entry

So I am wondering if ST has published any information about how we would use these BlackDuck-Component IDs? Is any information about these public, or is it an ST internal ID or do I need any subscription with BlackDuck to make a sense of it?

Have you considered assigning CPEs or PURLs for all the packages in the Stm32cube package?

Labels:
0 Kudos
3 REPLIES 3
Dor_RH
ST Employee

‎2025-07-15 2:53 AM

Hello @stratom,

 

ST leverages Black Duck to guarantee security and traceability of open source components with a pragmatic approach tailored to our packaging.

The BlackDuck-Component IDs are automatically generated by the Black Duck tool used by ST to manage and track vulnerabilities. These IDs are standard references from the Black Duck platform, not internal ST identifiers.

Regarding PURLs, most ST components are distributed within complete packages downloadable from st.com, so providing individual PURLs is not relevant.

As for CPEs, they are not assigned to ST components because these components do not correspond to products listed in public CPE databases.

 

I hope my answer has helped you. When your question is answered, please select this topic as the solution that answered you, as it will help others find that answer faster.

Thanks for your contribution.

Dor_RH

stratom
Associate III
In response to Dor_RH

‎2025-07-15 6:37 AM

Thanks!

Yes I agree PURL are great for opensource projects and packages and not a good fit for proprietary packages.

Do I understand it correctly that ST sees STM32CubeXYZ (e.g. STM32CubeWB0) one component?
So in case there are is a vulnerability in the BLE stack of STM32WB0 "cpe:2.3:a:st:stm32cubewb0:-:*:*:*:*:*:*:*" (with known versions instead of the dash) would normally be listed as affected software configuration? And in CVE-2020-20949 I also see "cpe:2.3:a:st:stm32cubemx:-:*:*:*:*:*:*:*" as a catch all, but given the loose coupling to HAL/etc. it is also not really practical.

I am also aware of the list in https://www.st.com/content/st_com/en/about/security-and-privacy/psirt.html . Do you have any other recommendations a project that includes a few ST libraries - like zephyr- , could use to automatically check for any vulnerabilities in it's ST related dependencies.

0 Kudos
Dor_RH
ST Employee
In response to stratom

‎2025-07-29 2:14 AM

Hello @stratom,

 

STM32CubeXYZ are delivered with a SBOM corresponding to the list of components used inside the package. 

Vulnerability scanning tools can be run on the package SBOM.

ST does not provide such a tool, currently.

 

I hope my answer has helped you. When your question is answered, please select this topic as the solution that answered you, as it will help others find that answer faster.

Thanks for your contribution.

Dor_RH

0 Kudos
Top