Secure Maven pom.xml transitive dependency scanning

[cuixq]

To prevent the plugin from being exploited by malicious <repository> entries in pom.xml files, also to align with Maven's security practices:

• Reject any repository URL that does not use https://, which aligns with Maven 3.8.1+ security policy.
• Add support for parsing settings.xml to honor mirror configurations. If <mirrorOf/> is defined, the client must bypass all repository URLs declared in the pom.xml and route requests exclusively through the specified trusted mirror. This is related to Make sure Maven settings.xml are read correctly #409.