maven-jar-plugin3.4.2
Classifier: LIBRARYSource
Security state
Critical 0High 0Medium 0Low 0Unassigned 0
Vulnerable components0
Inherited Risk Score0.0
Last BOM importMar 1, 2026, 12:24 AM
Last vulnerability analysisMay 8, 2026, 2:15 PM
Draft
What this plugin is
The Maven JAR Plugin assembles a project's compiled classes and resources into a `.jar` archive during the Maven `package` phase. It populates the `META-INF/MANIFEST.MF` with the entries downstream tooling — module descriptors, classpath, multi-release flag — relies on.
Why it matters
The output of this plugin is what ends up on Maven Central and in production classpaths. Manifests, multi-release JAR layout, and reproducible-build flags all flow through here. A misconfigured release of this plugin is a supply-chain hazard.
Open Elements' role
Open Elements contributes to the Maven JAR Plugin under the Support & Care programme and surfaces its security state via Open Ingredients.
Components
Outdated only| Component | Version | License | Status | Severities |
|---|---|---|---|---|
| maven-repository-metadata | 3.6.3 | Apache-2.0 | outdated | |
| maven-resolver-api | 1.4.1 | Apache-2.0 | outdated | |
| maven-resolver-impl | 1.4.1 | Apache-2.0 | outdated | |
| maven-resolver-provider | 3.6.3 | Apache-2.0 | outdated | |
| maven-resolver-spi | 1.4.1 | Apache-2.0 | outdated | |
| maven-resolver-util | 1.4.1 | Apache-2.0 | outdated | |
| maven-settings | 3.6.3 | Apache-2.0 | outdated | |
| maven-settings-builder | 3.6.3 | Apache-2.0 | outdated | |
| maven-shared-utils | 3.2.1 | Apache-2.0 | outdated | |
| org.eclipse.sisu.inject | 0.9.0.M2 | EPL-1.0 | outdated | |
| org.eclipse.sisu.plexus | 0.9.0.M2 | EPL-1.0 | outdated | |
| plexus-archiver | 4.9.2 | Apache-2.0 | outdated | |
| plexus-cipher | 1.4 | Apache-2.0 | outdated | |
| plexus-classworlds | 2.6.0 | Apache-2.0 | outdated | |
| plexus-component-annotations | 2.1.0 | Apache-2.0 | outdated | |
| plexus-interpolation | 1.27 | Apache-2.0 | outdated | |
| plexus-io | 3.4.2 | Apache-2.0 | outdated | |
| plexus-sec-dispatcher | 1.4 | Apache-2.0 | ||
| plexus-utils | 4.0.1 | Apache-2.0 | outdated | |
| slf4j-api | 1.7.36 | MIT | outdated | |
| snappy | 0.4 | Apache-2.0 | outdated | |
| xz | 1.9 | — | outdated | |
| zstd-jni | 1.5.5-11 | BSD-2-Clause | outdated |
Download SBOM
CycloneDX 1.x. Re-generated server-side; no registration required.
Talk to Support & Care