Introduce the concept of a "successor package" to the purldb data model

[DennisClark]

It is not a super-common situation (fortunately) but sometimes a package gets moved and/or renamed to an entirely new namespace. Consider log4j

pkg:maven/log4j/log4j@1.2.27 is followed by
pkg:maven/org.apache.logging.log4j/log4j@2.0

indicating that it became part of a "logging" project. This is fine, but it can make it challenging to find the "next" or "later" versions of a specific package.

Modeling details to be determined: possibly a new field on the basic package definition called successor_package (purl format of course) or possibly a new relation, since this is a relatively rare occurrence.

[Hritik14]

More such examples:

1. spring-attic/spring-cloud-aws -> awspring/spring-cloud-aws
2. com.mysql -> mysql-connector-j

[Hritik14]

Just a food for thought: If the commit history can be leveraged to trace a package, that could be super helpful.

[pombredanne]

See also aboutcode-org/vulnerablecode#1284 and aboutcode-org/vulnerablecode#1285

[armijnhemel]

this should probably be a 1:n mapping. There are some packages that have been split into multiple packages. One example is hostap which was succeeded by hostapd and wpa_supplicant. This is rare though.