The answer is that the main pom dependabot is checking is a pom generated by gradle publish plugin and they do not include the metadata.

In my case the example is here

Once gradle enables the metadata there or you publish to a different portal it will work