Pull and store CVSSv3.0 and CVSSv3.1 base scores from NVD

[chelsgr]

Summary

As available in the NVD, CyHy requests we pull and store data for CVSS including versions 2.0, 3.0, and 3.1 base scores for all CVEs. For CVSSv3+, the NVD currently populates this data for newly added vulnerabilities. CyHy requests that we pull the data from their feeds to store all of the version base scores in the cves collection of the database and use the most recent version available for determining the severity rating in terms of critical/high/med/low.

Motivation and context

This change is required to support Modify CyHy VS to include CVSSv3+ and VPR scoring #59

[dav3r]

If we only care about the latest version of the CVSS score for each CVE, why would we bother storing earlier scores in the database? I'd think that we would just look for a 3.1 score, if it's there, we store it and move on. If there is no 3.1 score, we check for a 3.0 score, and so on.

I just spoke to @climber-girl about this and she confirmed that they don't have any use case that would require storing more than one version of the CVSS score in our DB.

[dav3r]

Code to be changed:

• CVEDoc collection structure - add a field to store the CVSS version
• CVSS severity calculation - now needs to be based on version of CVSS score
• Import code in cyhy-nvdsync - For each CVE, import the latest version of the CVSS score and store the CVSS version

[dav3r]

Completed via cisagov/cyhy-core#69.