Add MergeReportsService w/ tests

MergeReportsService merges several security report
POROs into one. This involves deduplicating
vulnerability occurrences that share the same
location, and at least one (identifier type,
identifier value) pair, not including CWEs since
CWE is not a identifier but rather a class of
vulnerabilities. First found occurrence wins.
Then, occurrences are sorted by severity (desc)
and then by compare key (asc).