Update trivy worflow

[yunchu]

Summary

How to test

Checklist

• I have added unit tests to cover my changes.​
• I have added integration tests to cover my changes.​
• I have ran e2e tests and there is no issues.
• I have added the description of my changes into CHANGELOG in my target branch (e.g., CHANGELOG in develop).​
• I have updated the documentation in my target branch accordingly (e.g., documentation in develop).
• I have linked related issues.

License

• I submit my code changes under the same Apache License that covers the project.
  Feel free to contact the maintainers if that's a concern.
• I have updated the license header for each file (see an example below).

# Copyright (C) 2024 Intel Corporation
# SPDX-License-Identifier: Apache-2.0

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.72%. Comparing base (467208a) to head (fecea92).

Additional details and impacted files

@@               Coverage Diff               @@
##           releases/1.6.0    #3416   +/-   ##
===============================================
  Coverage           80.71%   80.72%           
===============================================
  Files                 536      536           
  Lines               40500    40500           
===============================================
+ Hits                32691    32692    +1     
+ Misses               7809     7808    -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[eunwoosh]

Is the reason why executing trivy twice to execute it with different trivy config?

[yunchu]

Is the reason why executing trivy twice to execute it with different trivy config?

we need to have vulnerability scanning results from the dependencies as well as spdx.json formatted dependencies list but trivy cannot generate them at the same time. that's the reason why we need to run it twice. :)