Most webjars have an id that looks like org.webjars:jquery.

Problem is that currently the security scanner search for vulnerabilities the following way:

• ecosystem: maven
• id: <groupid>:<artifactid> (so "org.webjars:jquery")

which is obviously not going to work for most of the webjars.

It would probably make more sense, when the extension type is "webjar", to (also or only) search for:

• ecosystem: npm
• id: <artifactid> ("so jquery")