Handle deduplication of packages in a scan

We should only report a consolidated package once where there are multiple exact duplicates

This needs some experimentation with a real use case project.
There is likely a need to have an option to dedupe in anycase.