Maven advisories missing scala SBT suffixes in package names

[oliverchang]

Originally filed in google/osv-scanner#1780.

Advisories in https://osv.dev/vulnerability/GHSA-p7c9-8xx8-h74f are missing package names with Scala SBT suffixes, e.g. https://central.sonatype.com/artifact/org.apache.kafka/kafka_2.13 and https://central.sonatype.com/artifact/org.apache.kafka/kafka_2.12 are technically different packages.

This leads to false negatives during scanning.

Ref: https://www.scala-sbt.org/1.x/docs/Cross-Build.html#Publishing+conventions

[JonathanLEvans]

Hi @oliverchang,

Thank you for your contribution. GHSA-p7c9-8xx8-h74f has been updated.

Let me know if there is anything else I can help with!