Improve MergeReportsService

What does this MR do?

This MR makes the MergeReportsService more reliable by sorting the findings individually instead of sorting the source reports.

The problem can be demonstrated with the following sequence;

1. We parse a top priority SAST artifact and get the report
2. We parse another SAST artifact which has the lowest priority and merge it with the previously generated SAST report
3. We parse yet another SAST artifact which has lower priority than the first one but higher than the second one and merge it with the previously merged report. Before this change, the findings of the third report would be marked as duplicates if there are any matching with the second one because we were checking only the primary scanner.

Related to #296520 (closed).

Does this MR meet the acceptance criteria?

Conformity

• 📋 Does this MR need a changelog?
  • I have included a changelog entry.
• [-] Documentation (if required)
• Code review guidelines
• Merge request performance guidelines
• Style guides
• [-] Database guides
• Separation of EE specific content

Availability and Testing

• [-] Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
• [-] Tested in all supported browsers
• [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

• [-] Label as security and @ mention @gitlab-com/gl-security/appsec
• [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
• [-] Security reports checked/validated by a reviewer from the AppSec team