Here are some specifics about JARs:
- They have a well defined structure with a META-INF root directory, MANIFEST.MF Java properties file
- They may contain other conventionally located manifest such as a POM in /META-INF/maven///pom.xml and pom.properties but these may depend on other POMs (parent and property files)
- MANIFEST.MF can contain extra details for OSGi (and an OSGI-INF directory)
- They often lack details on origin and license
- The Maven source JAR of a binary JAR is often not the exact corresponding source code, meaning that the source is often elsewhere in a version control repository and this may demand to flow scan details (origin, license, dependency) from the source repo to the binary, but there is not enforced convention to always include the source repo addresses.
- There is no well defined license documentation convention such as using SPDX expressions
- There is no well defined place to document dependencies, as this is often handled by plugins instead, meaning that evaluating dependencies is difficult short of using a Java package management tool
- They are mostly written in Java, but there are many other popular languages that run on the JVM
Here are some specifics about JARs: