Hello
Is there any way to generate an SBOM (Software Bill Of Materials) for a WinCC OA project?
A common tool to generate these SBOMs is CycloneDX, but I don't find anything about WinCC OA on their GitHub.
If anyone has done something like that, even with a different tool, let me know!
Generate SBOM for WinCC OA project
Search
Re: Generate SBOM for WinCC OA project
You can use the following link to get a list of MLFB numbers which can then be used in the Siemens Industry Mall:
https://winccoa.tst.siemens.com/index.html
https://mall.industry.siemens.com/mall/ ... atalogTree#
Best Regards
Leopold Knipp
Senior Support Specialist
https://winccoa.tst.siemens.com/index.html
https://mall.industry.siemens.com/mall/ ... atalogTree#
Best Regards
Leopold Knipp
Senior Support Specialist
-
gschijndel
- Posts: 373
- Joined: Tue Jan 15, 2019 3:12 pm
Re: Generate SBOM for WinCC OA project
The MLFB number is a way to identify the WinCC OA software, but that is not enough for Vulnerability Management nor Compliance Management (which are the main reasons to require a SBOM).
This is needed to comply with the Cyber Resilience Act (CRA) of the EU or counterparts in the rest of the world. Because all used components need to be included and their source. Only the software supplier can deliver this information correctly, so how can we get this information?
This is needed to comply with the Cyber Resilience Act (CRA) of the EU or counterparts in the rest of the world. Because all used components need to be included and their source. Only the software supplier can deliver this information correctly, so how can we get this information?
Last edited by gschijndel on Wed Mar 19, 2025 7:21 am, edited 1 time in total.
Re: Generate SBOM for WinCC OA project
@Gertjan: I cannot identify where the connection is between vulnerability/compliance management and the SBOM the other has requested.
If you have technical question which are not related to an existing forum topic please create a new one and describe exactly what you want to know.
Best Regards
Leopold Knipp
Senior Support Specialist
If you have technical question which are not related to an existing forum topic please create a new one and describe exactly what you want to know.
Best Regards
Leopold Knipp
Senior Support Specialist
Re: Generate SBOM for WinCC OA project
Hello.
We are working on providing an SBOM for WinCC OA.
We hope we will be able to deliver it with 3.21 release in November.
best regards,
Robert
We are working on providing an SBOM for WinCC OA.
We hope we will be able to deliver it with 3.21 release in November.
best regards,
Robert
Re: Generate SBOM for WinCC OA project
I'm looking for an SBOM that contains all the components (software, libraries, dependencies, etc) being used in a WinCC OA project, like @gschijnde explained. This is in fact part due to the Cyber Resilience Act and is being mandated by our company.
A list of licenses / MLFB used in a project/system is also useful. I think there also exists some kind of BOM specifically for that use case. But as @leoknipp pointed out, the WinCC OA Configurator tool can be used for this.
Specifically for WinCC OA and the SBOM I'm looking for is for example, when using the NGA and SQLite, all the libraries, tools and software that make up the NGA manager should be in the SBOM, as well as the SQLite executable and/or libraries used. The Qt framework for the Gedi. Oracle stuff when using RDB and Oracle database for archiving. I hope you get what I'm looking for.
@Andorhal great news that something is coming for this in version 3.21, I'll be looking out for this!
A list of licenses / MLFB used in a project/system is also useful. I think there also exists some kind of BOM specifically for that use case. But as @leoknipp pointed out, the WinCC OA Configurator tool can be used for this.
Specifically for WinCC OA and the SBOM I'm looking for is for example, when using the NGA and SQLite, all the libraries, tools and software that make up the NGA manager should be in the SBOM, as well as the SQLite executable and/or libraries used. The Qt framework for the Gedi. Oracle stuff when using RDB and Oracle database for archiving. I hope you get what I'm looking for.
@Andorhal great news that something is coming for this in version 3.21, I'll be looking out for this!