feat: add SeveritySource to VulnerabilityReport

[fabriziosestito]

Description

Adds a new SeveritySource field on Vulnerability that identifies the vendor that produced the severity ("nvd", "ghsa", "redhat", "alpine", …).

The field is populated directly from the upstream scanner's per-finding source, currently passed through from Trivy.

Consumers should use this key to look up the matching entry in the cvss map and display that score alongside Severity. This mirrors the lookup pattern Trivy uses in its own SARIF reporter.
If there is no match, the consumer can fallback to default CVSS values, see:

https://github.com/aquasecurity/trivy/blob/v0.70.0/pkg/report/sarif.go#L447-L460

func severityToScore(severity string) string {
    switch severity {
    case "CRITICAL":
        return "9.5"
    case "HIGH":
        return "8.0"
    case "MEDIUM":
        return "5.5"
    case "LOW":
        return "2.0"
    default:
        return "0.0"
    }
}

[Copilot]

Pull request overview

Adds severitySource to vulnerability reports so consumers can identify which upstream vendor produced the displayed severity and correlate it with the matching CVSS entry.

Changes:

• Adds SeveritySource to the storage API, OpenAPI schema, CRD schemas, apply configuration, and CRD docs.
• Populates SeveritySource from Trivy findings.
• Updates tests and scanner output fixtures to include the new field.

Reviewed changes

Copilot reviewed 15 out of 17 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
api/storage/v1alpha1/vulnerabilityreport_types.go	Adds the SeveritySource API field.
internal/handlers/trivyreport/trivy.go	Maps Trivy’s severity source into reports.
internal/handlers/trivyreport/trivy_test.go	Updates expected Trivy conversion output.
pkg/generated/applyconfiguration/storage/v1alpha1/vulnerability.go	Adds generated apply configuration support.
pkg/generated/openapi/zz_generated.openapi.go	Adds OpenAPI schema metadata.
test/crd/storage.sbomscanner.kubewarden.io_vulnerabilityreports.yaml	Updates VulnerabilityReport CRD schema fixture.
test/crd/storage.sbomscanner.kubewarden.io_workloadscanreports.yaml	Updates WorkloadScanReport CRD schema fixture.
docs/crds/CRD-docs-for-docs-repo.md	Documents the new CRD field in Markdown.
docs/crds/CRD-docs-for-docs-repo.adoc	Documents the new CRD field in AsciiDoc.
test/fixtures/golang-1.12-alpine-386.sbomscanner.json	Updates expected scan fixture output.
test/fixtures/golang-1.12-alpine-amd64.sbomscanner.json	Updates expected scan fixture output.
test/fixtures/golang-1.12-alpine-amd64.sbomscanner-vex.json	Updates expected VEX scan fixture output.
test/fixtures/golang-1.12-alpine-arm-v6.sbomscanner.json	Updates expected scan fixture output.
test/fixtures/golang-1.12-alpine-arm64-v8.sbomscanner.json	Updates expected scan fixture output.
test/fixtures/golang-1.12-alpine-s390x.sbomscanner.json	Updates expected scan fixture output.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.48%. Comparing base (a057f46) to head (dcb2c79).
⚠️ Report is 446 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1135      +/-   ##
==========================================
+ Coverage   53.35%   53.48%   +0.12%     
==========================================
  Files          61       61              
  Lines        5323     5329       +6     
==========================================
+ Hits         2840     2850      +10     
+ Misses       2084     2083       -1     
+ Partials      399      396       -3     

Flag	Coverage Δ
unit-tests	53.48% <100.00%> (+0.12%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[fabriziosestito]

Blocked, waiting for feedback from @davideiori1

[davideiori1]

@fabriziosestito I agree with the approach. Vendor's severity and cvss score are always to be preferred over the values that are not coming from the vendor itself. However, the same principle applies also when the vendor does not publish a cvss score but only the severity is available: it is better to show a N/A score than a made-up value, and stick to the severity provided by the vendor.