The Check CVE stage does not check `package_path` which can allow the Check CVE stage to pass in the pipeline, while the VAT displays a new unapproved finding. AC - [ ] Check CVE stage compares findings in the same way that the VAT does. (Include `package_path` from Whitelist and pipeline's Findings)