The Open Component Model (OCM) is an open standard to describe software-bill-of-deliveries (SBOD). OCM is a technology-agnostic and machine-readable format focused on the software artifacts that must be delivered for software products. OCM provides a globally unique identity scheme which can be used to identify components and artifacts throughout the entire software lifecycle management process,...
Its focus is describing versioned sets of artifacts and to assign globally unique identities. OCM makes those artifacts queryable: what is inside, where is it from, is it authentic, etc. But it does not deal with building those artifacts or how to deploy them. Such tasks are left to tools on top of the model. In this way, they are able to access the artifact by its identity. Different tools may keep their own metadata bound together by the identities provided by the model.
OCM provides a common language usable by tools to talk about software artifacts, regardless of the technologies and the processes working on them. Tool specific metadata, like deployment descriptions, are handled as own, typed artifacts. This enables the provisioning of content-agnostic tools: for example, transporting software between environments, signing and verification, providing compliance data, etc.
The following chapters provide a formal description of the format to describe software artifacts and a storage layer to persist those and make them available from remote.
-
- 1.1 OCM Model
- 1.1.1 Introduction
- 1.1.2 Components and Component Versions
- 1.1.3 Component Repositories
- 1.1.4 Summary
- 1.2. Model Elements
- 1.2.1 Components and Component Versions
- 1.2.2 Artifacts (Resources and Sources)
- 1.2.3 Sources
- 1.2.4 Resources
- 1.2.5 References
- 1.2.6 Summary
- 1.3. Model Elements - Fundamentals
- 1.3.1 Identifiers
- 1.3.2 Access Specification
- 1.3.3 Access Types
- 1.3.4 Labels
- 1.3.5 Repository Contexts
- 1.3.6 Signatures
- 1.3.7 Digest Info
- 1.3.8 Signature Info
- 1.4 Example of a complete Component Version
- 1.5 Conventions
- 1.5.1 Intended Environments
- 1.5.2 Selection of Usage Scenarios
- 1.6 Extending the Open Component Model
- 1.6.1 Functional extensions
- 1.6.2 Semantic extensions
- 1.1 OCM Model
-
- 2.1 Referencing
- 2.1.1 Example
- 2.2 Signing
- 2.2.1 Verification Procedure
- 2.3 Normalization
- 2.3.1 Artifact Digest
- 2.3.2 Normalization Types
- 2.3.3 Serialization Format
- 2.3.4 Recursive Digest Calculation
- 2.4 Example
- 2.5 Component Descriptor Normalization
- 2.6 Artifact Normalization
- 2.1 Referencing
- 4 Extensions
- 4.1 Artifact Types
- 4.1.1 blob
- 4.1.2 directoryTree, fileSystem
- 4.1.3 gitOpsTemplate
- 4.1.4 helmChart
- 4.1.5 npmPackage
- 4.1.6 ociArtifact
- 4.1.7 ociImage
- 4.1.8 executable
- 4.1.9 sbom
- 4.2 Access Method Types
- 4.3 Storage Backend Mappings
- 4.3.1 OCIRegistry
- 4.3.2 FileSystem (CTF)
- 4.3.3 FileSystem (Component Archive)
- 4.3.4 AWS S3
- 4.4 Algorithms
- 4.4.1 Artifact Normalization
- 4.4.2 Digest Algorithms
- 4.4.3 Label Merge Algorithm
- 4.4.4 Component Descriptor Normalization Algorithms
- 4.4.5 Signing Algorithms
-
- 5.1 Transport
- 5.1.1 Kinds of Transports
- 5.2 Model Contract
- 5.2.1 Example: Helm deployment
- 5.3 References
- 5.1 Transport
Check out the main project web page to find out more about OCM. It is your central entry point to all kinds of ocm related docs and guides, this spec and all project-related github repositories. It also offers a Getting Started to quickly make your hands dirty with ocm, its toolset and concepts :-)
Code contributions, feature requests, bug reports, and help requests are very welcome. Please refer to the Contributing Guide in the Community repository for more information on how to contribute to OCM.
OCM follows the CNCF Code of Conduct.
Copyright 2022 SAP SE or an SAP affiliate company and Open Component Model contributors. Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the REUSE tool.