support cvss 4.0

[tomersein]

What would you like to be added:
hello!
NVD announced they support cvss 4.0
will grype support it?
https://nvd.nist.gov/general/news/cvss-v4-0-official-support

thanks!

Why is this needed:
be updated to the newest cvss
Additional context:

[kzantow]

Hey @tomersein, are you asking to make sure that if CVSS 4 information is present in records, Grype DB includes this?

[kzantow]

Developer note: Look at this library for parsing CVSS: https://github.com/pandatix/go-cvss

[TimBrown1611]

yes correct, just want to make sure grype \ vunnel gets and displays this information :)

[willmurphyscode]

@wagoodman @kzantow does it make sense to try to do this as part of schema v6?

EDIT: we discussed this offline, and this can be done before or after grype db v6, but will require figuring out which providers over in anchore/vunnel can provide cvss v4 data, and wiring it through vunnel and grype-db and adding it to the appropriate structs in grype so that it gets displayed.

[luhring]

I think I'm starting to see this showing up more — e.g. for https://nvd.nist.gov/vuln/detail/CVE-2024-9287, the CNA (the PSF in this case) has marked this as "medium". But in Grype's DB, this record shows its severity as "unknown". I'm guessing that's because there's no non-CVSSv4 data available from NVD? So the net effect is slightly confusing to users who are cross-checking the upstream vuln data source.