Show canonical component names in Dependency List

Problem to solve

The component names presented in the Dependency List might be slightly different from the ones used on the package registry. For instance, the list might show pillow instead of Pillow. This might confuse users who don't know the rules used to compare names, such as the ones specified in https://peps.python.org/pep-0426/#name.

Proposal

Leverage the data imported from the external License database to add canonical names to the components tracked in the DB. For instance, add a new canonical_name DB column to sbom_components, and set it whenever the canonical name is different from the normalized named stored in sbom_components.name.

Further details

As of today (prior to &7886), the Dependency List presents project dependencies with the names reported in the Dependency Scanning, and extracted from dependency files parsed by Gemnasium. If/when we implement #299294, Gemnasium will parse Pipfile.lock which contains normalized names like pillow and django, and not the canonical names Pillow and Django.

As we implement Continuous vulnerability scans (&7886), the Dependency List will switch to using normalized component names stored in the DB when ingesting project SBOMs. See Ingest SBOM reports (&8024 - closed). Again, these normalized names might differ from the canonical names.

The external License Database implemented in &8492 (closed) fetches package metadata from the public package registries, so it can collect the canonical package names.

/cc @sam.white