Update sort function in report package to also sort by name field

Proposal

The report package was updated to sort vulnerabilities by Severity, CompareKey, and Location.Dependency.Version as part of Sort vulns by Location.Dependency.Version (gitlab-org/security-products/analyzers/report!51 - merged) • Adam Cohen • 15.6. However, some vulnerabilities have the same Severity, CompareKey, and Location.Dependency.Version, which means that the sort order becomes non-deterministic.

For example, the following two vulnerabilities from security-code-scan have the same value for these fields:

• Potential Cross-Site Scripting from 'string TextBox.Text'
• Potential Cross-Site Scripting from 'string HiddenField.Value'

In order to work around the non-deterministic sorting of the above vulnerabilities, security-code-scan has added custom sorting in the integration tests.

The purpose of this issue is to update the report package to also sort vulnerabilities by the name field, so that the vulnerability order in the report is deterministic and we can remove workarounds like the one implemented by security-code-scan.

Implementation Plan

1. The sort function in the report package currently sorts by Severity, CompareKey, and Location.Dependency.Version.

   We need to update the sort function to sort by the Name field if the Location.Dependency.Version field doesn't exist, or is the same between two vulnerabilities.

2. Add unit tests for the above behaviour.

3. Release a new version of the report package.

4. Update security-code-scan to use the new version of the report package released in step 2. above.

5. Remove the custom sorting from the security-code-scan integration test.

/cc @tkopel @fcatteau @jleasure @theoretick