Fix CVSSv3.1 calculator

[domwhewell-sage]

Closes #536
This PR takes the minimum CVSSv3.1 score out of the three: baseMetricScore, temporalMetricScore and environmentalMetricScore and adds it to the badge and field

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 91.85%. Comparing base (c986bb5) to head (d2ff379).
Report is 28 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #537   +/-   ##
=======================================
  Coverage   91.85%   91.85%           
=======================================
  Files         320      320           
  Lines       18577    18579    +2     
=======================================
+ Hits        17064    17066    +2     
  Misses       1513     1513           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ColonelThirtyTwo]

I don't think taking the minimum score is a good thing to do here.

For CVSSv3.1, the temporal and environmental scores are separate "sub-scores". While we don't have an actual field in GW for the subscores and just use the base score, there's no guidelines I can see in the CVSS specification on merging the base and subscores into an overall score, and I feel that simply taking the lowest value will undervalue vulnerabilities.

I'd like @chrismaddalena 's input though.

[chrismaddalena]

I agree. The v3.1 Temporal and Environmental scores are separate and don't necessarily impact the Base score. Using the minimum score of the three would work for some use cases but be considered incorrect or a bug for others. Defaulting to using the minimum undercuts to the value the calculator can offer. I like the idea of offering all three scores for reporting. We can start by showing the scores. I'm not sure about the best approach to tracking them for later use.

[domwhewell-sage]

Hmm what do you think of the field getting completed with the environmental score only if those metrics are defined (same goes for temporal)?

I've copied this from #345

var score = output.environmentalMetricScore != undefined ? output.environmentalMetricScore : output.baseMetricScore;

[chrismaddalena]

That could work for setting the CVSS score on the fprm. For displaying the scores, I'm working on something like this.

[domwhewell-sage]

I see what you mean, well I've changed this PR to set the form value to the environmental / temporal score depending on if those metrics are defined.
But feel free to close if your changes superseed this

[felix-caboff]

Appreciate I am not adding much but I like this. 👍