FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Does ST provide a software bill of materials (SBOM) for code generated by STM32CubeMX ?

JPetr.1
Associate

‎2022-08-17 10:17 AM - last edited on ‎2025-04-15 11:59 AM by

I'm using STM32F2xx, STM32F4xx, STM32F7xx and STM32L0xx firmware supplied by STM32CubeMX. I need to generate an SBOM for cybersecurity purposes. Can ST provide that or provide documentaiton that can be referenced to generate the SBOM?

Labels:
11 REPLIES 11
Pavel A.
Super User

‎2025-04-15 2:20 PM - edited ‎2025-04-15 2:25 PM

OK so now we have a nice bot-generated manifest of components in the "cube" package. The file for STM32CubeU3

In that, we can find the IDs assigned to the CMSIS, BSPs for Nucleos, original and modified ThreadX libraries.... so much. Some 3rd party commercial libraries there are "evaluation version".

Will this stuff go into a real product firmware? Else, how much this BOM is going to help? Any patch or change or your own will invalidate the manifest reference.

The only genuine component there maybe are the ST device CMSIS files.

0 Kudos
debugging
Lead

‎2026-03-18 3:00 AM

Screenshot From 2026-03-18 17-57-00.png

https://wiki.st.com/stm32mcu/wiki/Security:Deep_dive_on_CRA

For products placed on the market (1st sales) and made available on the market (after the CRA effective date),  -  really confusing terms - those products need to complay with CRA. the would mean if you have already released project that won't change but is still sold (imports), the SBOM is needed., But there is no SBOM xml data for these products  now (i.e F4). Even the products is not Class I, II or III,  still a self assessment is required.

How to generate this SBOM from existing projects ?

 

 

 

0 Kudos
Top