SBOM for the code generated by STM32CubeMX

Thiha2025 · ‎2026-01-15

I used STM32F103 in a mix configuration of bare-metal&HAL supplied by STM32CubeMX. I'm not sure ST can provide the documentation that can be referenced to generate the SBOM for cybersecurity purpose. Is there any recommended tool to scan the firmware project folder. If ST is yet to provide a way to auto-generate SBOM for cybersecurity requirement, possible to use manually curated SPDX-based JSON format for machine processing. If anyone had gone through similar process for regulatory review, can you please share the experience? Any inputs/advise would be greatly appreciated. Thank you.

Imen.D · ‎2026-01-15

Hello @Thiha2025

I share the following ST wiki pages that may help you and answer your questions:

When your question is answered, please close this topic by clicking "Accept as Solution".
Thanks
Imen

Thiha2025 · ‎2026-01-16

Thanks so much for the link. I found this "Yes, ST has decided to publicly provide CycloneDX SBOM for any STM32Cube embedded software deliverable." However, I could not find "sbom_cdx.json" for F1 series after I downloaded the latest STM32CubeF1 package. I realized that I can find the json file for F7 series under STM32Cube_FW_F7_V1.17.4. Can you shed some light on this?

Dor_RH · ‎2026-03-13

Hello @Thiha2025,

SBOM for STM32CubeF1 is now available on GitHub and st.com: (Link:here)

I also recommend checking this post: STM32Cube software is ready for automated SBOM & security processes with Black Duck tools

It explains how STM32Cube can be used with Black Duck for SBOM generation and vulnerability management.

I hope my answer has been helpful. When your question is resolved, please mark this topic as the solution. This will help others find the answer more quickly.

Thank you for your contribution.

Best regards,
Dor_RH