Project ESSTRA : A software suite to enhance software transparency and traceability in the software supply chain
Speakers: Takuya NAMAE & Hideki Yamane
Track: Packaging, policy, and Debian infrastructure
Type: Long talk (45 minutes)
Room: Grand amphi
Time: Jul 18 (Fri): 16:30
Duration: 0:40
When you use open-source software, do you want to know which source files are compiled and included in the binaries? Project ESSTRA (https://github.com/sony/esstra) is a tool that collects a list of source files while compiling your software and embeds the data into the binaries. Recently, the importance of using SBOMs has been increasing, and there is a growing demand for improved transparency and traceability in the software supply chain from the perspectives of vulnerability management and open-source license compliance. However, it is difficult to trace the details of which files are included in the binaries used in your system and service, and which open-source licenses to comply with based on this data.
To address this issue, Sony has developed ESSTRA. It is now available as an open-source solution and includes both a GCC plugin to record source file information during a build and embed it into the resulting binaries, as well as a Python tool to manage the information. ESSTRA can be utilized by open-source developers and suppliers to provide software provenance information for downstream consumers of their software. Additionally, since the information is embedded in the program binaries, product and service providers can use ESSTRA to catalog software dependencies, trace build operations, generate appropriate SBOMs, and comply with legal regulations. This enhances software transparency and security, benefiting the entire open-source community. ESSTRA is already supported by Binary Analysis Next Generation (BANG) tool.
Attendees of this session will learn how to use ESSTRA with open-source software and take the first steps to improve the transparency and traceability of their project’s software. Additionally, Hideki Yamane, a long time Debian contributor, has already created a Debian package https://salsa.debian.org/debian/esstra and ITPed. We believe it would be wonderful if the information obtained through ESSTRA could be included in the Debian -dbgsym package. He will share the current ESSTRA package status in Debian, and we would ask whether it would be beneficial to Debian and other communities. If it is Yes, let’s discuss how to implement it in Debian!