GitHub team,

I recently noticed that many vulnerabilities reported for BouncyCastle over in the Maven ecosystem might be missing the full set of affected packages. One possible (unconfirmed!) example isGHSA-r97x-3g8f-gx3m which only shows the packagesorg.bouncycastle:bcprov-jdk14 andorg.bouncycastle:bcprov-jdk15 affected for versions>= 1.51, < 1.56.

However, wandering over tohttps://www.bouncycastle.org/latest_releases.html I can see that there's a staggering number of different jar files for every published version for a variety of configurations. I count at least 35 in the signed JAR table alone, not even including the unsigned providers with debug information. Many of these seem to be published to Maven Central - e.g.https://mvnrepository.com/artifact/org.bouncycastle

Would it make sense to have some automation (and/or auditing) on the GitHub side to detect multi-published packages such as these and correct the entries to avoid potential risks being missed?

It seems to be most common in the Java ecosystem, but it exists on other ecosystems too. Over in JavaScript land, Lodash is another great example:lodash,lodash-es,lodash-amd,babel-plugin-lodash the per method packages such aslodash.throttle, etc.