Update trivy to 0.43.1 and add CS_TRIVY_JAVA_DB variable

What does this MR do?

Allow users to specify a java database which trivy can use to scan java projects so that users can use container scanning in offline networks.

This MR bumps the version of trivy supported and adds functionality to get the value of CS_TRIVY_JAVA_DB environment variable and pass it to trivy.

Testing

A test job was added to test how the analyzer passes the environment variable to trivy: https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/blob/d37b55298c138a939e689504f0f6544097caef3a/.gitlab/ci/integration-test.yml#L117-157

• With the variable set:
  • trivy: https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/jobs/5304048092#L4370
  • trivy fips: https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/jobs/5304048093#L4370
• With the variable not set:
  • trivy: https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/jobs/5304048095#L4343
  • trivy fips: https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/jobs/5304048096#L4343

What are the relevant issue numbers?

Add workaround in Container Scanning to allow u... (gitlab-org/gitlab#404587 - closed)

Does this MR meet the acceptance criteria?

• Changelog trailer added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer