Follow-up from "Improve Vulnerability Tracking: Add tracking field"

The following discussion from gitlab-org/security-products/security-report-schemas!69 (merged) should be addressed:

• @d0c-s4vage started a discussion: (+6 comments)

  I've changed my mind on this - I don't think we should require that signatures exists. What if an analyzer provides a tracking object for languages that we can't yet calculate any signatures for? That would make the JSON non-conformant with the schema.

  Another use case that I ran into while reviewing the other feedback is with tracking.type = "hash". I don't think we should have a post-analyzer that simply hashes data and inserts signatures - this is simple enough to do in the backend. In this case, there would also never be a signatures array.