RFC: Introduce "primary package" vs. "embedded- or sub-packages"

[pombredanne]

Short Description

In the same way we have dependencies, we often have:

• a package within a package such as a node_modules in an npm, mono-repos, uberjars and fatjars, and similar
• multiple personalities for the same package (bower and npm)

We should have a heuristic to report one of these has primary and the other as sub/embedded packages.
This would likely be done in a post-scan step.
Data-wise this could be a list of Package URL similar to what we have for dependencies.

Select Category

• Enhancement

[pombredanne]

A few thoughts on design:

• when a package embeds other packages, we do not want to report the files of sub-pckages as being part of these of the main parent packages
• we would want to introduce a new embedded_packages attribute that would list sub packages in the parent

[pombredanne]

We do not have such concept yet and this requires further design.

[pombredanne]

See also https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/embedded-code-copies