I had a look at the published SBOMs for Series like STM32U5
- They all include the the package name, license, sometimes a supplier.
- And all have a BlackDuck-Component and BlackDuck-ComponentVersion.
- Hower, only a few external components have a cpe or purl entry
So I am wondering if ST has published any information about how we would use these BlackDuck-Component IDs? Is any information about these public, or is it an ST internal ID or do I need any subscription with BlackDuck to make a sense of it?
Have you considered assigning CPEs or PURLs for all the packages in the Stm32cube package?
