The Check CVE stage does not check `package_path` which can allow the Check CVE stage to pass in the pipeline, while the VAT displays a new unapproved finding. AC - [x] Check CVE stage compares findings in the same way that the VAT does. (Include `package_path` from Whitelist and pipeline's Findings) - ~~Test that [galvanize/galvanize/java-code-evaluator](https://repo1.dso.mil/dsop/galvanize/galvanize/java-code-evaluator) properly fails the Check CVE as the VAT displays one unapproved finding for `CVE-2020-13956` from Anchore and has a package path of `/app/send_results/libs/httpclient-4.5.13.jar`~~ OBE. This CVE has now been addressed