feat: add --severity-src flag to customize vulnerability severity selection

[knqyf263]

Description

Currently, Trivy automatically selects the "best" severity among multiple data sources (NVD, GHSA, etc.) based on its internal logic. While this works well for most cases, some users have specific needs for severity selection:

• Some users prefer to prioritize NVD severities
• Others might want to avoid GHSA severities if they consider them problematic
• Different organizations might have different preferences for severity sources

To address these needs, I propose adding a new --severity-src flag that allows users to specify their preferred severity sources in order of priority.

Proposed Implementation

The flag would work as follows:

1. Accept multiple values in comma-separated format or repeated flags
   Example: --severity-src nvd --severity-src ghsa

2. Process severity sources in the specified order

   • If the first source has a severity, use it
   • If not, try the next source
   • If no sources have severity:
     • Return "unknown" as severity
     • Output a warning message: "No severity found in specified sources: [source1,source2]"

3. Define current behavior as auto

   • Default value would be auto
   • Inspired by Go Toolchains behavior

4. Allow fallback to auto mode
   Example: --severity-src nvd,auto

   • This would first check NVD, then fall back to the current automatic selection logic

Usage Examples

# Use NVD severity, fallback to GHSA
$ trivy image --severity-src nvd,ghsa myimage

# Use NVD severity, fallback to automatic selection
$ trivy image --severity-src nvd,auto myimage

# Use current automatic selection (default)
$ trivy image --severity-src auto alpine:latest

# Example of warning message when no severity found
$ trivy image --severity-src nvd,ghsa alpine:latest
WARN No severity found in specified sources: [nvd,ghsa]

Benefits

• Provides flexibility for organizations with specific severity source preferences
• Maintains backward compatibility with current behavior