Enhance Package Import to support modifications

[DennisClark]

Problem: Different sources for importing package data to DejaCode vary greatly in quality. If a Package already exists with no license or copyright values, it does not get updated if you use Package Import from a spreadsheet (csv) to import the same package with more comprehensive data.

Benefit: Provide a means to improve Package data when importing.

Solution: In a manner roughly equivalent to the Import SBOM to a Product feature, where there is an option to "Update existing packages with discovered packages data" where "only the empty fields will be updated", make that the default behavior for Package Import. Show the number of modified packages on the results page.

Notes: Spreadsheets have recently resurfaced as an important source for package data.

[DennisClark]

@tdruez Testing of the package import in Staging (both Starship and nexB) went fine and I modified a package successfully and the process properly updated only the empty fields. My only problem encountered had to do with package identity; it seems that you have to provide identical filename, download_url, and purl fields to get an identity hit. If I leave out any of those that already have values in DejaCode the importer tries to add a new package. We can keep that logic but I think the importer page needs to explain it, especially since currently there is nothing specified in "Required columns:" so perhaps we can add a note somewhere prominent on the importer page that says something like this:

Note that a Package is uniquely defined in DejaCode by a combination of filename, download_url, and the six Package URL fields type, namespace, name, version, qualifiers, and subpath. You are not required to provide values in all of these fields (qualifiers and subpath are less commonly used) but if any of them are different from an existing similar package already in DejaCode, then the importer will perform an addition rather than a modification.

[DennisClark]

test file sample attached
package_import_goresym.csv

[tdruez]

My only problem encountered had to do with package identity; it seems that you have to provide identical filename, download_url, and purl fields to get an identity hit. If I leave out any of those that already have values in DejaCode the importer tries to add a new package.

I'm having a hard time to understand and reproduce the problem. The .csv only contains 1 entry and I don't have an insight about the content of the Dataspace being used.

[tdruez]

@DennisClark I've added the help you provided on the Package import form.
Feature merged and deployed.