Short Description

In the same way we have dependencies, we often have:

• a package within a package such as a node_modules in an npm, mono-repos, uberjars and fatjars, and similar
• multiple personalities for the same package (bower and npm)

We should have a heuristic to report one of these has primary and the other as sub/embedded packages.
This would likely be done in a post-scan step.
Data-wise this could be a list of Package URL similar to what we have for dependencies.

Select Category

• Enhancement