feat: support multiple DB repositories for vulnerability and Java DB

[knqyf263]

Background

Currently, the vulnerability database repository is controlled by the --db-repository flag, with the default value set to ghcr.io/aquasecurity/trivy:2. Due to recent instability issues with GHCR, we have published an identical DB to ECR Public. We need to update Trivy to support multiple repository options to improve reliability and provide alternatives.

Proposed Changes

1. Modify the --db-repository flag to accept multiple values:

   • Change from --db-repository string to --db-repository strings
   • Trivy should try repositories one by one until successful
   • Set default values to include both GHCR and ECR Public repositories

2. Apply the same changes to the Java DB configuration

3. Ensure backward compatibility:

   • The flag should still accept a single value to avoid impacting existing users

Out of Scope

• Changes to the checks bundle are not included in this issue, as it contains embedded checks. The necessity for similar modifications will be discussed separately.