Hi everyone,I am trying to generate a professional SBOM for my project.I have a few questions regarding the best workflow:Tooling & Detection: What the best tool to generate the SBOM.I tried using ScanCode, but it didn't find any component in my project (e.g., FreeRTOS). I had to manually add .about files to the folder to get results. Is there a better tool that can generate the SBOM with minimal manual intervention?ST Cube SBOM : The Cube MCU packages contain dozens of libraries (FatFS, FreeRTOS, USB_Host, etc.). If my project only uses FatFS, the package JSON still lists everything. Do I have to manually extract the components I use from the ST JSON? how to get use of the ST SBOM?I’d love to hear if anyone has a script or a specific toolchain that automates this without the manual "copy-paste" from the ST manifests Thank you!Yahya

YahyaYozo

Associate

Solved

Best practices for generating SBOM

Forum|Forum|2 months ago
March 4, 2026
1 reply
324 views

Hi everyone,

I am trying to generate a professional SBOM for my project.
I have a few questions regarding the best workflow:

Tooling & Detection: What the best tool to generate the SBOM.
I tried using ScanCode, but it didn't find any component in my project (e.g., FreeRTOS). I had to manually add .about files to the folder to get results. Is there a better tool that can generate the SBOM with minimal manual intervention?
ST Cube SBOM : The Cube MCU packages contain dozens of libraries (FatFS, FreeRTOS, USB_Host, etc.). If my project only uses FatFS, the package JSON still lists everything. Do I have to manually extract the components I use from the ST JSON? how to get use of the ST SBOM?

I’d love to hear if anyone has a script or a specific toolchain that automates this without the manual "copy-paste" from the ST manifests

Thank you!
Yahya

STM32 Security

Best answer by Dor_RH

Hello Yahya,

For our firmware packages we use Black Duck to generate the SBOM.

The ST Cube SBOM is a reference to help you accurately describe ST‑provided components; it does not replace your project SBOM. You can reuse the needed information from ST’s SBOM (component name, version, license, origin) for the libraries you actually use, instead of recreating it.

I hope my answer has been helpful. When your question is resolved, please mark this topic as the solution. This will help others find the answer more quickly.

Thank you for your contribution.

Best regards,
Dor_RH

D

Dor_RHBest answer

ST Employee

Hello Yahya,

For our firmware packages we use Black Duck to generate the SBOM.

The ST Cube SBOM is a reference to help you accurately describe ST‑provided components; it does not replace your project SBOM. You can reuse the needed information from ST’s SBOM (component name, version, license, origin) for the libraries you actually use, instead of recreating it.

I hope my answer has been helpful. When your question is resolved, please mark this topic as the solution. This will help others find the answer more quickly.

Thank you for your contribution.

Best regards,
Dor_RH

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded