feat: CVSS v4.0 support and replace cvss implementation to comply with the specifications

[pandatix]

Why this PR

CVSS v4.0 has been released lately, and the OSV will most probably add its support (the first CVSS v4.0 vector known to the FIRST.ORG SIG CVSS has been published by Palo Alto Networks for the CVE-2023-3282).

As a FIRST.ORG SIG CVSS member and Go CVSS implementation maintainer, I'm looking forward to improve its adoption and understanding in the Open-Source Ecosystem.
Moreover, there exist issues with the currently used CVSS implementation, such as invalid scoring computation, and CVSS v4.0 is currently not planned for support.

What it brings

With the current PR, I provide multiple direct improvements:

• proper CVSS v2.0 scoring computation (only affect the environmental score computation, but has been an unresolved issue for months)
• add support of CVSS v4.0 in the OSV schema
• performance improvements according to benchmarks

Given ossf/osv-schema#166 the CVSS v4.0 key will most likely be CVSS_V4 to align with the previous CVSS versions support.

Is it breaking ?

For the code, no, but for the Go version, yes 🎉

[oliverchang]

Thank you for the contribution! Adding @another-rex to review.

[another-rex]

Thanks, this looks very good!

Can you clarify why 1.21 is required? I still seem to be able to successfully build with go1.20.

Though since we are looking at increasing the required go version from 1.19 to 1.20 in the next release because of #637, going to 1.21 instead should be fine. (Related #638), but would to good to avoid it if it's not necessary.

[codecov-commenter]

Codecov Report

Attention: 8 lines in your changes are missing coverage. Please review.

Comparison is base (e99410e) 78.84% compared to head (61545d6) 78.77%.
Report is 1 commits behind head on main.

Files	Patch %	Lines
internal/output/table.go	33.33%	8 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #651      +/-   ##
==========================================
- Coverage   78.84%   78.77%   -0.08%     
==========================================
  Files          83       83              
  Lines        5881     5889       +8     
==========================================
+ Hits         4637     4639       +2     
- Misses       1046     1052       +6     
  Partials      198      198              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pandatix]

Hey @another-rex, thanks for the feedback, much appreciated :)

I stated it could be blocking as despite my implementation is ok to Go 1.18 (in order for ClusterFuzzLite to work), it defines requiring Go 1.21. This imply that a go mod tidy would want to update the go.mod file (which is indeed related to discussion in #638). As long as you are working on upgrading the Go version this won't be a problem for long, and as it compiles properly it is not blocking ! 🎉