feat: add package type to vulnerability report and package_type and class to metrics

[chen-keinan]

Signed-off-by: chenk hen.keinan@gmail.com

Description

Add package type to vulnerability report also and package_type and class to metrics

Related issues

• Close Add package type in vulnerability report #541
• Close Differentiate between Base Image Vulnrabilities and Application Vulnrabilities #651

Checklist

• I've read the guidelines for contributing to this repository.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[borja-rivera]

Hello, this is not working. I've deployed trivy-operator v0.18.4 in gke v0.16.4. Vuln id metrics are enabled but the field "package_type" is always empty.

E.g. trivy_vulnerability_id{class="",container_name="productpage",fixed_version="4.13-3+deb10u1",image_digest="",image_registry="index.docker.io",image_repository="istio/examples-bookinfo-productpage-v1",image_tag="1.17.0",installed_version="4.13-3",last_modified_date="2023-11-07T03:40:00Z",name="replicaset-productpage",namespace="rate-limit",package_type="",pkg_path="",published_date="2022-10-24T14:15:00Z",resource="libtasn1-6",resource_kind="ReplicaSet",resource_name="productpage-v1-6bcbb44479",severity="Critical",vuln_id="CVE-2021-46848",vuln_score="9.1",vuln_title="Out-of-bound access in ETYPE_OK"}

Is there any other way to differentiate between OS and application vulnerabilities?

Thanks!