Invalid CVSS v2 vector

[pandatix]

During differential fuzzing with github.com/pandatix/go-cvss, I discovered that your implementation does not emit valid CVSS v2 vectors.
Indeed, after parsing it, it only emit the temporal metrics that are different of ND (Not Defined).

In order to be compliant, you must emit all group metrics even if they are equal to ND, according to the first.org specification Table 13 that shows all metrics of a group are required.
Notice this is not the case with CVSS v3 as first.org specification Table 15 states temporal and environmental metrics are not mandatory when equal to X (Not Defined).

The following Go code illustrates this issue.

package main

import (
	"fmt"
	"log"

	"github.com/goark/go-cvss/v2/base"
)

func main() {
	raw := "AV:L/AC:M/Au:S/C:N/I:N/A:P/CDP:N/TD:ND/CR:M/IR:ND/AR:ND"
	vec, err := base.Decode(raw)
	if err != nil {
		log.Fatal(err)
	}

	out := vec.String()
	fmt.Printf("out: %v\n", out)
}

produces ->

out: AV:L/AC:M/Au:S/C:N/I:N/A:P/CDP:N/CR:M

[spiegel-im-spiegel]

Release v1.4.6