FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SBOM for STM32 firmware project

dgep
Associate II

‎2026-02-26 6:33 AM

Hi,

I have this toolchain and need to generate a SBOM:

  • STM IDE v1.18
  • STM IDE GNU Tools for STM32 13.3.Rel1
  • STM32Cube FW_L4 V1.18.1, specified in `\*.ioc` file
  • STM32_USB_Device_Library (v2.0_Cube)
  • STM32CubeMX 6.14.0
  • FreeRTOS (10.3.1)

How could I turn this into a SBOM?

I tried scanning the folder strucutre with syft but this did not work. 

I then tried to manually make a syft Json file, but when testing for vulnerabiliteies (like e.g. here ) i could not find them. I am not sure how to specify the above components, such that they get recognized by the automated search engine (Grype).

I found a statement from ST, that SBOMs will be provided for their products, but I could not find said lists for my toolchain. Some repositories on the GitHub Repositores contain `sbom_cdx.json`. However, I struggle to connect my Toolchain components to the repositories on Github (there are over 700 and for example "stm32cubeIDE" returns 0). 

Any help is appreciated!

 

Related Links:

 

 

 

0 Kudos
3 REPLIES 3
dgep
Associate II

‎2026-02-26 6:55 AM

Ok I "reverse-engineered" one of the sbom_cdx.json (example) with syft. When running

syft convert sbom_cdx.json -o converted.json

We receive a syft JSON with the data given by ST.  

Deleting from this until it breaks I found out (what is probably obvious for others), that the CPE identifier is the deciding component. CPE identifiers can be found with this search engine

Here is a minimal syft json example, which will return a vulnerability with grype: 

{
  "artifacts": [
{
    "name": "STM",
    "version": "1.17.0",
    "cpes": [
        {
            "cpe": "cpe:2.3:o:st:stm32cubel4_firmware:*:*:*:*:*:*:*:*",
            "source": "declared"
        }
    ]
}
],
  "artifactRelationships": [], 
  "files": [], 
  "source": {},
  "distro": {},
  "descriptor": {},
    "schema": {
        "version": "16.1.3",
        "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-16.1.3.json"
    }
}

 

dgep
Associate II

‎2026-03-10 4:30 AM

Thanks for moving this to the correct forum. 

Does somebody here have experience with this?

0 Kudos
Dor_RH
ST Employee

‎2026-03-16 4:47 AM

Hello @dgep,

For our firmware packages, we use Black Duck to generate the SBOM.

The ST Cube SBOM is meant as a reference to describe ST‑provided components: it does not replace your own project SBOM. You can copy the relevant details from ST’s SBOM (component name, version, license, origin) for the libraries you actually use, instead of creating that information from scratch.

For STM32CubeIDE and STM32CubeMX, you will find the Additional License Terms in the tool documentation on st.com.

I hope my answer has been helpful. When your question is resolved, please mark this topic as the solution. This will help others find the answer more quickly.

Thank you for your contribution.

Best regards,
Dor_RH

0 Kudos
Top