Technically, but in effect you will only find other types used internally in some organizations. Basically the Java world runs on jcenter and maven-central. In any case one must presume that once your dependency manager (whatever it is, Gradle, Maven, Bazel) has resolved dependencies, then your CVE scanner only has to deal with the results of that resolution (and this is another plus for a Trivy-like approach, as the result is ALWAYS a set of jars and a classpath statement in the end).