Add more detailed vulnerability status on unfixed vulnerabilities

[knqyf263]

Description

Currently, Trivy has only two statuses for vulnerabilities: "fixed" and "unfixed". While these labels provide a basic understanding of the vulnerability status, they do not provide sufficient detail for users to understand the current state of a given vulnerability, especially when dealing with unfixed vulnerabilities.

A more detailed status system could provide much-needed context and guidance for users. As an example, Red Hat has implemented a system of vulnerability status attributes that includes:

• "Affected": the package is affected by the flaw on this platform
• "Not affected": the package, which ships on this platform, is not affected by the flaw
• "Fix deferred": the package is affected by the flaw on this platform, and may be fixed in the future
• "Under investigation": it is currently unknown whether the flaw affects the package on this platform, and is under investigation
• "Will not fix": the package is affected by the flaw on this platform, but there is no current intention to fix it (primarily for flaws that are of Low or Moderate impact that pose no significant risk to customers)​1​

These statuses also comply with the VEX spec.

Incorporating these statuses into Trivy would allow users to better understand the state of a given vulnerability, reducing the need for them to search through comments and other metadata.

Implementation Details

I'd suggest implementing the following items.

Add a status field to each vulnerability in the JSON format:

We should add a Status field to the JSON format for each vulnerability. This field will carry one of the following values: "affected", "not_affected", "will_not_fix", etc.

Add a Status column to the table format:

For those users who prefer to view the data in a table format, we should add a Status column. This column will display the status of each vulnerability, providing a quick and easy way for users to get the information they need.

Add a --status flag for status filtering

To make it easier for users to see needed vulnerabilities, we should add a --status flag that allows users to filter vulnerabilities based on their status. For example, a user could use --status fixed,affected to only display vulnerabilities that are fixed or affected. It is specifically useful to filter out "will_not_fix" vulnerabilities as they are usually negligible.

Make --ignore-unfixed an alias for --status fixed

For backward compatibility and ease of use, we keep the "--ignore-unfixed" flag, but make it an alias for --status fixed.This will ensure that users who are familiar with the old command can continue to use it as they always have.

[knqyf263]

After discussing, we concluded --ignore-status is better.