1. Disclaimer
This Q&A associated to all ST deliverables, is a tentative to answer your questions on the software security policies put in place on STM32Cube new embedded software deliverables.
• This is not a legal view of the regulations
• Some of these interpretations may vary and changes over time may occur
• All information and links are subject to changes
2. Does ST provide SBOM for STM32?
Yes, ST has decided to publicly provide CycloneDX SBOM for any STM32Cube embedded software deliverable.
3. Where can I find ST SBOM on STM32 deliverables?
SBOM file is delivered under the root directory of each STM32Cube product package downloaded from internet or directly available on GitHub package root directory usually under the name: "sbom_cdx.json".
4. What are the contents of STM32 SBOMs?
Cyber Resilience Act (CRA) will mandate minimum fields contained into SBOM. ST will conform to CRA.
Current fields are:
- Tools information to create the SBOM
- SBOM creator name,
- SBOM version,
- component's name,
- component type,
- component's version,
- component's license name.
5. What is the format of STM32 SBOMs?
The format of STM32 SBOMs is CycloneDX. OWASP CycloneDX is a comprehensive Bill of Materials (BOM) standard designed to enhance supply chain security and reduce cybersecurity risks. It is an OWASP flagship project and has been ratified as an ECMA-424 - ECMA International standard.
6. Are STM32 SBOMs based on standards?
The format of STM32 SBOMs is CycloneDX. OWASP CycloneDX is a comprehensive Bill of Materials (BOM) standard designed to enhance supply chain security and reduce cybersecurity risks. It is an OWASP flagship project and has been ratified as an ECMA-424 - ECMA International standard.
7. Is an SBOM sufficient to claim regulation compliance?
An SBOM is only one necessary element towards compliance. It is in place to allow automated Software Composition Analysis (SCA) in order for developers to integrate security processes within DevOps and CI/CD pipelines. Automating SCA will allow corporate compliance policies both for Licensing and Security aspects.
8. Does ST provide a CycloneDX to SPDX converter?
No, ST does not provide such a tool.
CycloneDX being an ECMA-424 - ECMA International standard, most tools available on the market support formats such as CycloneDX, System Package Data Exchange (SPDX), and Software Identification Tags (SWID).
9. Does ST SBOM conform to CRA requirements?
Yes, ST is doing its best to make sure our SBOMs conform to CRA.
10. Does an ST SBOM contain vulnerabilities information?
ST does not include vulnerability information into its SBOM. While the standard allows it, we consider SBOM is a static document listing the composition of a software only valid for a dedicated version.
Vulnerabilities are intrinsically dynamic, and we consider they shall be described into a separate document, often called a Vulnerability EXchange document (VEX).
11. Why does ST publish its SBOMs?
The publication of SBOMs is not mandated by the CRA, as they may contain confidential information.
However, ST is committed to providing transparency and building trust with its users by delivering tools and software that users can easily verify and monitor.
12. As a device manufacturer, do I need to publish my own SBOM?
The CRA does not mandate the publication of an SBOM. Because an SBOM may contain sensitive information. However, it is recommended to extend the software distribution policy to include the SBOM. In some cases, an SBOM may be required by your customers or for audit purposes.
13. What is a public Vulnerability?
A public vulnerability typically refers to a security flaw or weakness in a system, software, or hardware that has been publicly disclosed. Public disclosure can occur through official channels, such as security advisories as done on ST PSIRTpage, or on other media. A worldwide recognized database of public vulnerabilities is maintained by the MITRE. In the context of vulnerabilities, MITRE is widely recognized for its Common Vulnerabilities and Exposures (CVE®) system, which provides a standardized identifier for publicly known cybersecurity vulnerabilities. The CVE system facilitates the sharing of information across different organizations and tools, enabling better vulnerability management and response.
14. What is a Vulnerability EXchange (VEX) document?
Vulnerability exchange document (VEX) provides information about the known public vulnerabilities affecting a software, based on its SBOM or a set of SBOMs. Depending on tools and suppliers, its type can vary such as CSV, HTML, or JSON. In ST we will aim at providing VEX documents following CSAF (Common Security Advisory Framework) standard, as a machine-readable file, and deliver it with a .JSON extension.
15. What is the benefit to get Vulnerability EXchange (VEX) document versus SBOM?
The VEX document provides information about known public vulnerabilities within software packages. It lists the component versions affected and provides information about potential remediations. The SBOM lists only the components and their properties, not the vulnerabilities.
16. Are Vulnerability EXchange (VEX) files mandated by CRA?
The VEX document provides information about known public vulnerabilities within software packages. It lists the component versions affected and provides information about potential remediations. The SBOM lists only the components and their properties, not the vulnerabilities.
17. How to assess vulnerabilities from a Vulnerability EXchange (VEX) document?
The VEX document contains only public vulnerabilities and includes the official references and links. Users must refer to these references to conduct their own risk analysis, which depends on the application and context. Based on this risk analysis, mitigation measures and updates may be required to minimize risks to an acceptable level.
18. Which vulnerability databases does ST scan to deliver Vulnerability EXchange (VEX) documents?
Currently, STM32 VEX documents are based on the MITRE CVE database. At a later stage, it is planned to also base them on the European Vulnerability Database, which was recently announced.
19. STM32 product CRA declaration of conformity: on which repository will it be published?
Once available, CRA compliance documents will be delivered on ST website.
20. References
STM32Trust software security policies
STM32Trust security framework
STM32 Security wiki