These functions were vibe-coded using qwen3-coder. I first gave a simple test case to generate some logic. Then I repeatedly kept asking for more complex test cases and refactoring till we reached a point where we both concluded that the regexes and tests were good enough. It took around two hours of chat!

I hope we have covered many test cases here. Please review and suggest if there is anything missing.

This is a breaking change (> 11.0.10). There are instances where the assembly name and package names are different.

Example (Thanks, @chadwjames):

<Reference Include="System.Web.Razor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
      <HintPath>..\packages\Microsoft.AspNet.Razor.3.0.0\lib\net45\System.Web.Razor.dll</HintPath>
    </Reference>

The package name here Microsoft.AspNet.Razor is matching the nuget name and the entry in packages.config. In older versions of cdxgen <= v11.0.10, csproj files were never parsed when packages.config was present, so we got an accurate URL but incorrect evidence since the .csproj was not tracked (therefore SCA tools wouldn't know what file to update!).

Why track assembly name and version?

Tracking the assembly name and version is important, since this is what will be present in GAC and in using statements in the code. So, when we invoke dosai to find all the occurrences (and one day call stack) for given packages, we can take the module name from the using statements and match it with the assembly name (or the DLL) to figure out which PURL offers what module.

Confidence is lowered when there is no hint version.