RFC: Introduce "primary package" vs. "embedded- or sub-packages"

[pombredanne]

Short Description

In the same way we have dependencies, we often have:

• a package within a package such as a node_modules in an npm, mono-repos, uberjars and fatjars, and similar
• multiple personalities for the same package (bower and npm)

We should have a heuristic to report one of these has primary and the other as sub/embedded packages.
This would likely be done in a post-scan step.
Data-wise this could be a list of Package URL similar to what we have for dependencies.

Select Category

• Enhancement

[pombredanne]

A few thoughts on design:

• when a package embeds other packages, we do not want to report the files of sub-pckages as being part of these of the main parent packages
• we would want to introduce a new embedded_packages attribute that would list sub packages in the parent

[pombredanne]

We do not have such concept yet and this requires further design.

[pombredanne]

See also https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/embedded-code-copies

[pombredanne]

See also:

• RFC: Introduce idea of embedded package purldb#177
• Introduce the concept of a "successor package" to the purldb data model purldb#175

[pombredanne]

And https://github.com/nexB/scancode-toolkit/projects/10

[armijnhemel]

Related: aboutcode-org/purldb#163

[pombredanne]

As an example here is an uberjar: https://repo1.maven.org/maven2/org/apache/htrace/htrace-core4/4.2.0-incubating/htrace-core4-4.2.0-incubating.jar