Skip to main content
D
dgep
Associate II
February 26, 2026
Question

SBOM for STM32 firmware project

  • February 26, 2026
  • 3 replies
  • 376 views

Hi,

I have this toolchain and need to generate a SBOM:

  • STM IDE v1.18
  • STM IDE GNU Tools for STM32 13.3.Rel1
  • STM32Cube FW_L4 V1.18.1, specified in `\*.ioc` file
  • STM32_USB_Device_Library (v2.0_Cube)
  • STM32CubeMX 6.14.0
  • FreeRTOS (10.3.1)

How could I turn this into a SBOM?

I tried scanning the folder strucutre with syft but this did not work. 

I then tried to manually make a syft Json file, but when testing for vulnerabiliteies (like e.g. here ) i could not find them. I am not sure how to specify the above components, such that they get recognized by the automated search engine (Grype).

I found a statement from ST, that SBOMs will be provided for their products, but I could not find said lists for my toolchain. Some repositories on the GitHub Repositores contain `sbom_cdx.json`. However, I struggle to connect my Toolchain components to the repositories on Github (there are over 700 and for example "stm32cubeIDE" returns 0). 

Any help is appreciated!

 

Related Links:

 

 

 

3 replies

D
dgepAuthor
Associate II
February 26, 2026

Ok I "reverse-engineered" one of the sbom_cdx.json (example) with syft. When running

syft convert sbom_cdx.json -o converted.json

We receive a syft JSON with the data given by ST.  

Deleting from this until it breaks I found out (what is probably obvious for others), that the CPE identifier is the deciding component. CPE identifiers can be found with this search engine

Here is a minimal syft json example, which will return a vulnerability with grype: 

{
 "artifacts": [
{
 "name": "STM",
 "version": "1.17.0",
 "cpes": [
 {
 "cpe": "cpe:2.3:o:st:stm32cubel4_firmware:*:*:*:*:*:*:*:*",
 "source": "declared"
 }
 ]
}
],
 "artifactRelationships": [], 
 "files": [], 
 "source": {},
 "distro": {},
 "descriptor": {},
 "schema": {
 "version": "16.1.3",
 "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-16.1.3.json"
 }
}

 

    D
    dgepAuthor
    Associate II
    March 10, 2026

    Thanks for moving this to the correct forum. 

    Does somebody here have experience with this?

    D
    Dor_RH
    ST Employee
    March 16, 2026

    Hello @dgep,

    For our firmware packages, we use Black Duck to generate the SBOM.

    The ST Cube SBOM is meant as a reference to describe ST‑provided components: it does not replace your own project SBOM. You can copy the relevant details from ST’s SBOM (component name, version, license, origin) for the libraries you actually use, instead of creating that information from scratch.

    For STM32CubeIDE and STM32CubeMX, you will find the Additional License Terms in the tool documentation on st.com.

    I hope my answer has been helpful. When your question is resolved, please mark this topic as the solution. This will help others find the answer more quickly.

    Thank you for your contribution.

    Best regards,
    Dor_RH

    Terms & ConditionsAccessibility statement