*.jar packages built by Jenkins have pretty much no usable metadata, here are results from a set of ONAP images: https://wiki.onap.org/display/DW/2022/03/03/Manifests+for+jar+packages+improvement

The minimal information we need for SBoMs (required by all projects sold to US federal gov):

• uniquely identify the package (name, version
• what it was built from (e.g. git url + commit sha)
• license tag and license file (in the package not in manifest)
• we should handle copyrights too- I'm unsure how those should be published (maybe there is some plugin that could gather the copyright notices from code files and create a nice list)

This was brought up on PTL call 28.02.