CVSS v3.0 and v3.1 #76
Description
Let's start by saying that if any of my assumptions is wrong this issue is not relevant.
As far as I know CVSS vectors of version 3.0 and 3.1 are identical at least in the definition of the vector. However the library is splitting them based on the lack of environmental metrics in the vector. If I'm not wrong a CVSS 3.0 could have environmental metrics or a CVSS 3.1 vector could have only the base vector.
The effect in the library is that if we try to serialize the vector we will get a definition that starts with CVSS:3.0 or CVSS:3.1 depending on the environmental metrics which I think is wrong. Wouldn't it be more natural to have:
- A single CVSS3 class
- That keeps the original specification and dumps it in getVector() method accordingly
- That runs one algorithm or the other in calculateScore() depending on the presence or not of the environmental metrics
If it make sense I could even try to create a PR based on that if needed