FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Best practices for generating SBOM

Go to solution
YahyaYozo
Associate II

‎2026-03-04 3:11 AM

Hi everyone,

I am trying to generate a professional SBOM for my project.
I have a few questions regarding the best workflow:

  • Tooling & Detection: What the best tool to generate the SBOM.
    I tried using ScanCode, but it didn't find any component in my project (e.g., FreeRTOS). I had to manually add .about files to the folder to get results. Is there a better tool that can generate the SBOM with minimal manual intervention?

  • ST Cube SBOM : The Cube MCU packages contain dozens of libraries (FatFS, FreeRTOS, USB_Host, etc.). If my project only uses FatFS, the package JSON still lists everything. Do I have to manually extract the components I use from the ST JSON? how to get use of the ST SBOM?

I’d love to hear if anyone has a script or a specific toolchain that automates this without the manual "copy-paste" from the ST manifests

 
Thank you!
Yahya

 

 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
Dor_RH
ST Employee

‎2026-03-12 2:07 AM

Hello Yahya,

For our firmware packages we use Black Duck to generate the SBOM.

The ST Cube SBOM is a reference to help you accurately describe ST‑provided components; it does not replace your project SBOM. You can reuse the needed information from ST’s SBOM (component name, version, license, origin) for the libraries you actually use, instead of recreating it.

I hope my answer has been helpful. When your question is resolved, please mark this topic as the solution. This will help others find the answer more quickly.

Thank you for your contribution.

Best regards,
Dor_RH

View solution in original post

0 Kudos
1 REPLY 1
Go to solution
Dor_RH
ST Employee

‎2026-03-12 2:07 AM

Hello Yahya,

For our firmware packages we use Black Duck to generate the SBOM.

The ST Cube SBOM is a reference to help you accurately describe ST‑provided components; it does not replace your project SBOM. You can reuse the needed information from ST’s SBOM (component name, version, license, origin) for the libraries you actually use, instead of recreating it.

I hope my answer has been helpful. When your question is resolved, please mark this topic as the solution. This will help others find the answer more quickly.

Thank you for your contribution.

Best regards,
Dor_RH

0 Kudos
Top