Vulnerability Combiner -- Ensure vulnerability ratings are combined in a consistent manner

name: Ensure vulnerability ratings are combined in a consistent manner
about: Combining vulnerability ratings should be explicit on which scanner takes priority

Is your feature request related to a problem? Please describe

Currently hoppr-cop combines vulnerability ratings using the default merge behavior. This results in the ratings arrays being combined without specific regard given to the scanner that produced them or which should be treated as the primary (first) rating. In most cases this isn't a big deal but it could result in unintended ratings be pushed to the top when a different one is more applicable. The other concern here is that which rating is pushed to the top is not explicitly defined.

Describe the solution you'd like

First the rating list merge should be explicitly defined in the code. With a choice being made on how to prioritize the ratings from the different scanners.

Second this might be a good reason to adjust the reporting to show the ratings from different tools. This would make the reports more complicated but it would be worth showing where the tools disagree on the findings as this is useful information.

One major issue with determining the rating that should be prioritized is that the top rating in the list is treated as the primary entry. Realistically none of the scanners are significantly better than any of the others, at least not enough to make this a clear victory for one (honestly the reason for this project). However due to the CycloneDX spec one of these ratings needs to be primary. One thought here is that maybe we give priority to whatever primary is the higher severity and then highlight the difference.

Describe alternatives you've considered

Reasonably this likely needs some dealing with. The impact isn't huge for leaving it as is because it does appear to report one of the scanners primary ratings in the first slot of the array.