Skip to main content
Amelie ACKERMANN
Amelie ACKERMANN
Community Manager
March 6, 2025

STM32Cube software is ready for automated SBOM & security processes with Black Duck tools

  • March 6, 2025
  • 7 replies
  • 6077 views

Over the past decade, cybersecurity regulations have become increasingly stringent, especially in specific industries like aviation, medical, and automotive. The new European law Cyber Resilience Act (CRA), published in December 2024 and set to take effect in December 2027, will extend these regulations to all remaining application fields.

A critical aspect of these regulations is the tracking of vulnerabilities. In this regard, a major milestone is the accurate tracing of the software bill of materials (SBOM) for all components of a product or system, which is integral to the DevSecOps process.

STM32Cube ecosystem is providing, since long, the SBOMs in all its deliverables. However, until now, such a document was made to be readable and printable by humans. To meet these demands, ST has partnered with Black Duck® to integrate machine-readable SBOMs into the STM32 software ecosystem. This collaboration leverages Black Duck’s software composition analysis tools to streamline the security management of software components through deep scanning, automated disclosure, and continuous monitoring.

Importance of SBOM

Complexity in modern systems:

Security shall be made for the end-to-end of a product. An industrial system, for example, is made of multiple electronic units communicating together, up to the cloud itself. One can easily imagine the number of software components included in such a system. To track vulnerabilities, this necessitates automated tools to manage SBOMs throughout the software life cycle.

Cybersecurity and vulnerability management:

Maintaining SBOMs helps in understanding, correcting, and communicating flaws, preparing updates, and managing cybersecurity vulnerabilities. It also involves tracking versioning, licensing models, and ownerships to manage liabilities and corrections.

To assist developers, STM32Cube now provides machine-readable SBOM documents, generated using BlackDuck® tools in the CycloneDX format and delivered under a .json unique file available for most software package.

CycloneDX is a modern ECMA standard (ECMA-424) for the software supply chain. The specification originates and is led by the OWASP Foundation, and supported by the global information security community. 

Benefits of automated SBOMs

  • Security development life cycle (SDLC): automated SBOMs are essential for regular and automated scanning of existing vulnerabilities. Although SBOMs are static documents for specific software versions, vulnerabilities can emerge over a product’s lifetime, necessitating regular analysis.
  • Accuracy and exhaustiveness: automated processes ensure the accuracy and completeness of vulnerability management.

The first package proposing this SBOM in CycloneDX format is the STM32CubeU3 available for download on www.st.com

The STM32U3 is the first STM32 MCU to use near-threshold design, a technique that drastically reduces dynamic power consumption. This innovative design allows the STM32U3 to achieve a market-leading efficiency with 117 Coremark/mW, making it 5 times more efficient than previous generations.

AmelieACKERMANN_0-1740649023876.png

 

STM32CubeH7RS and STM32CubeN6 will also provide this SBOM within their next package release.

The deployment of SBOMs will continue across new packages and the entire STM32 ecosystem in the coming months.

Additional resources

First published on March 6, 2025

    7 replies

    J
    JesperEC
    Associate III
    April 16, 2025

    Dear Amelie,

    I am very happy to hear that STMicroelectronics are taking steps to provide SBOMs to your customers, given the increased regulatory pressure in this area.

    But I have a question on how complete these will be.

    I am working with STM32H5 but I had a look at the cdx json file contained in STM32CubeU3 version 1.1.0 as I assume that the setup for STM32CubeH5 will be similar once it is released including an SBOM.

    From a quick glance, my conclusion is that the SBOM contains entries for what is included in the STM32Cube package - threadx, mbedTLS, CMSIS, ….

    But when you build software for the MCU using STM32CubeIDE, the resulting binary to load will also contain software added by the GCC-based tool chain (of variant arm-none-eabi) bundled with it. This includes newlib (or newlib-nano) and the glue and wrappers for compiler intrinsics provided as part of GCC and maybe some other things.

    Will STMicroelectronics provide SBOMs for these parts as well?

    Maybe as part of the STM32CubeIDE download package?

    So that us customers can merge it with the SBOM from STM32Cube and any additional ST packages and other libs we use to form the complete SBOM.

        Best regards, Jesper

     

     

      Amelie ACKERMANN
      Amelie ACKERMANNAuthor
      Community Manager
      April 22, 2025

      Dear @JesperEC ,

      Thanks for your comment! I forwarded your question to the responsible team, and we will get back to you as soon as possible.

      Best,
      Amelie

        Thierry Crespo
        Thierry Crespo
        ST Employee
        April 22, 2025

        @JesperEC 

        Dear JesperEC,

        First, we would like to thank you for your interest. We are at the stage of extending the software bill of materials (SBOM) availability to our various packages. The STM32H5 will indeed be covered by adding this SBOM, in CycloneDx format, in upcoming releases. Regarding your point on tools and additional libraries, we are currently trying to understand how to include them within our process. This will certainly take more time and therefore requires your patience. We will keep our developers informed about our progress regularly, as this subject is essential for our community.

          J
          JesperEC
          Associate III
          April 23, 2025

          Thank you @Amelie ACKERMANN and @Thierry Crespo for your quick answers.

          I look forward to upcoming progress reports on this topic.

          Best regards, Jesper

           

          A
          Alex410
          Visitor II
          July 2, 2025

          Thank you!!!!

          stratom
          stratom
          Associate III
          July 12, 2025

          Thanks, I hope all the other Series will be covered soon as well!

          In some projects I am only using a small subset of the STM32Cube package, so I am looking for a way to easily extract only the relevant components of the published SBOM.

          I am new to SBOMs and not really familiar with the standards. So in a quick search I did not find a standard way to specify a location(subfolder)  each component is located in the repo, and it seems that does not exist.
          But was wondering if you could add the information about the subfolder for each components as property, like you have done for the "BlackDuck-Component", and the "BlackDuck-ComponentVersion".
          That way users could easily filter the SBOM to relevant components, and could do some additional checks on the files of each package.

            Thierry Crespo
            Thierry Crespo
            ST Employee
            July 23, 2025

            Dear stratom,

            As explained in other treads we are at the stage of extending the software bill of materials (SBOM) availability to our various packages. All our STM32Cube will soon have an SBOM in case they are updated.

            Regarding your proposal on adding the directory of the components themselves inside the SBOM, we looked at our possibilities within our tools and the impact on the overall process.

            Our customization capabilities are limited within the SBOM tool itself to the components. We also deliver a wide variety of packages with these components into local package directories. To provide the right link we would have to manually change this information within the package SBOM. Our process being highly automated, for higher availability, reusability, and reliability, we want to minimize our manual interventions. Therefore, this does not see a valid option currently.

            We invite you to check the availability of commercial or open-source tools hoping it will allow you to reach your target.

            Do not hesitate to further communicate with us particularly if you find suitable solutions to benefit our community of users

            Terms & ConditionsAccessibility statement