GOSEC mapper conflates some finding specific information with control level information

[Amndeep7]

          I manually changed one of the results in the sample file to have LOW severity.  This caused the entire G304 section to be changed to LOW severity even though the other ones were at MEDIUM severity.  We need to determine if it is necessary to actually restructure this mapper so that the results are not consolidated by 'id' since even though metadata like severity is probably not gonna change due to being tied to the CWE, other metadata like confidence probably could change per result.  I think we should probably generate more sample files since the provided sample is not sufficient.

Originally posted by @Amndeep7 in #5952 (review)

severity is a control level attribute since it's associated with the cwe + ruleid, but other stuff like confidence and the nosec stuff impacts at the finding level. nosec/suppression for ex. probably ought to impact the status of that particular result to be skip if they are not false.

[Amndeep7]

This is a blocker for mitre/saf-training#155 since we extensively discuss this mapper in the course.