Question regarding SBOM support and Cyber Resilience Act recommendations

[natur-belassen]

Hello ThreadX team,

I would like to ask whether there are any plans to introduce or support a Software Bill of Materials (SBOM) for ThreadX in the context of the European Cyber Resilience Act (CRA).

Additionally, would you recommend using ThreadX in products that need to comply with CRA requirements? Are there any existing guidelines, tooling, or best practices available to support compliance efforts when integrating ThreadX into embedded systems?

Thank you for your support and clarification.

Best regards

[fdesbiens]

Hi @natur-belassen.

ThreadX and its companion ecosystem (NetX Duo, USBX, FileX, LevelX, GUIX ) have no external dependencies. Even the cryptography we ship does not rely on third-party libraries. So the SBOM is just the ThreadX kernel and whatever companion components you use in your particular product.

The Eclipse Foundation is a steward under the CRA. We are a CVE numbering authority and have a dedicated security team. The ThreadX team works with Eclipse staff to manage and fix those CVEs. Past disclosed vulnerabilities are listed in the central CVE database and on the relevant GitHub repositories. Since last year, our release notes have explicitly included CVE information. In the future, we can work on voluntary attestations for ThreadX and the other components, but we need to clarify what that would mean for the project.

The Eclipse Foundation has facilitated coordination among the open source community on this topic through its Open Regulatory Compliance working group. I recommend you take a look at the website. Some of the resources published by ORC can definitely guide you in your compliance journey.