Nested dependencies trying to use insecure http URLs? #485

[vazkarvishal]

Description

Issue discussed & Raised here: aquasecurity/trivy-action#485

While using the Trivy github action, we came across a situation where the action was taking ~2 hours to run. On enabling debug mode, we realised that trivy is trying to download snapshots from http URLs which is blocked on our firewall as we are only allowed port 443. Below are the debug logs for the packages it tries:

2025-08-28T15:22:05+01:00	DEBUG	[pom] Adding repository	id="vaadin-snapshots" url="http://oss.sonatype.org/content/repositories/vaadin-snapshots/"
2025-08-28T15:22:05+01:00	DEBUG	[pom] Adding repository	id="vaadin-releases" url="http://oss.sonatype.org/content/repositories/vaadin-releases/"

1. Why does trivy still use an insecure DB reference?
2. How can I control this/skip insecure/force https?

When I use mvn dependency:tree | grep -B5 android-json maven uses the https upstream like shown below:

Downloaded from central: https://repo.maven.apache.org/maven2/org/mockito/mockito-junit-jupiter/5.14.2/mockito-junit-jupiter-5.14.2.pom (2.3 kB at 143 kB/s)
Downloading from central: https://repo.maven.apache.org/maven2/org/skyscreamer/jsonassert/1.5.3/jsonassert-1.5.3.pom
Downloaded from central: https://repo.maven.apache.org/maven2/org/skyscreamer/jsonassert/1.5.3/jsonassert-1.5.3.pom (7.0 kB at 388 kB/s)
Downloading from central: https://repo.maven.apache.org/maven2/com/vaadin/external/google/android-json/0.0.20131108.vaadin1/android-json-0.0.20131108.vaadin1.pom
Downloaded from central: https://repo.maven.apache.org/maven2/com/vaadin/external/google/android-json/0.0.20131108.vaadin1/android-json-0.0.20131108.vaadin1.pom (2.8 kB at 164 kB/s)

Why does the trivy scan not try to use https like maven does?

Target

Filesystem

Scanner

Vulnerability