Multiple dependencies on an in-reactor unresolvable artifact result in duplicated dependencies on aggregate scan

[aikebah]

Describe the bug
When running an aggregate scan on a multimodule project, where multiple submodules depend on the same in-reactor module multiple virtual dependencies are registered in the report.
Strange enough the number of virtual dependencies is one less than the number of dependencies for which a virtual dependency gets created.

[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] o org.owasp.test.aggregate.issue-3944:lib:jar:1.0.0-SNAPSHOT (compile)
[WARNING] Try running the build up to the lifecycle phase "package"
[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] o org.owasp.test.aggregate.issue-3944:lib:jar:1.0.0-SNAPSHOT (compile)
[WARNING] Try running the build up to the lifecycle phase "package"
[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] o org.owasp.test.aggregate.issue-3944:lib:jar:1.0.0-SNAPSHOT (compile)
[WARNING] Try running the build up to the lifecycle phase "package"
[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] o org.owasp.test.aggregate.issue-3944:lib:jar:1.0.0-SNAPSHOT (compile)
[WARNING] Try running the build up to the lifecycle phase "package"
[INFO] 
[INFO] --- dependency-check-maven:6.5.2:aggregate (default) @ parent ---
[INFO] Unable to resolve org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT as it has not been built yet - creating a virtual dependency instead.
[INFO] Unable to resolve org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT as it has not been built yet - creating a virtual dependency instead.
[INFO] Unable to resolve org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT as it has not been built yet - creating a virtual dependency instead.
[INFO] Unable to resolve org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT as it has not been built yet - creating a virtual dependency instead.

Resulted in a report with 3 (non-vulnerable) dependencies

Dependency	Vulnerability IDs	Package	Highest Severity	CVE Count	Confidence	Evidence Count
org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT		pkg:maven/org.owasp.test.aggregate.issue-3944/lib@1.0.0-SNAPSHOT		0		6
org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT		pkg:maven/org.owasp.test.aggregate.issue-3944/lib@1.0.0-SNAPSHOT		0		6
org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT		pkg:maven/org.owasp.test.aggregate.issue-3944/lib@1.0.0-SNAPSHOT		0		6

Version of dependency-check used
The problem occurs using version 6.5.1 and 6.5.2 of the maven plugin (and likely older as well)

To Reproduce
Will be provided in a new it-test

Expected behavior
A single or no, not quite sure what the expected behavior for the in-reactor dependencies is, virtual dependency listed in the aggregate report.

[aikebah]

The 'one less than the number of dependencies' is due to the fact that the BundlingAnalyzer in the end bundles the first two virtual dependencies to one. The remaining duplicates get merged too, but stay in place, as the BundlingAnalyzer uses a HashSet to track the merged/bundled dependencies to remove and all virtual dependencies have the same hashcode so only a single duplicate is scheduled for removal, leaving n-1 duplicate virtual dependencies in place when n virtual dependencies have been created for cases of n>1.

[aikebah]

And there is no sign of the Bundling, because in the end the first virtual dependency gets removed from the list, leaving the duplicates in place