maven-shade-plugin dependency issue: Invisible vulnerabilities in Trivy scan due to missing pom.properties

Question

I'm currently working on a build pipeline to package a Java Maven application into a Docker image and scan it using Trivy. The JAR is built using the maven-shade-plugin:

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-shade-plugin</artifactId>
    <configuration>
        <transformers>
            <transformer 
                implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
                <mainClass>x.y.z.SomeClass</mainClass>
            </transformer>
            <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
        </transformers>
    </configuration>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>shade</goal>
            </goals>
            <configuration>
                <shadedArtifactAttached>true</shadedArtifactAttached>
            </configuration>
        </execution>
    </executions>
</plugin>

To test the Trivy scan, I purposely included the dependency org.springframework:spring-webmvc:6.1.13, which contains CVE-2024-38819. However, Trivy didn't detect this vulnerability.

While researching how Trivy scans a JAR file, I found this in the documentation regarding Trivy Java Language Coverage

To find information about your JAR file, Trivy parses pom.properties and MANIFEST.MF files in your JAR2 file and takes required properties.

After inspecting the JAR file, I discovered there's no org.springframework directory with an associated pom.properties file under /META-INF/maven/. Instead, it appears under /META-INF/native-image/ without a pom.properties file. When adding ch.qos.logback:logback-core:1.5.11 (CVE-2024-12798) that did end up in META-INF/maven, Trivy noticed the logback vulnerability.

Would anyone know the reason why this package is placed under the native-image directory rather than the maven directory? Moreover, how can I ensure that a pom.properties file is always being generated for each dependency so Trivy can detect them (regardless of its location)?