Support CVSSv3 scores and severities

[dav3r]

🗣 Description

This PR adds support for CVSS v3 scores by importing them from the NVD. It also appropriately sets the severity of each CVE based on the v2 or v3 scoring system.

💭 Motivation and context

Since CVSS v3 has been out for quite a while now, it's about time that we support it.

This PR updates cyhy-nvdsync to import data for any CVE that has either v2 or v3 score. Previously, we only imported the v2 score.

If a v3 score is present in the NVD data, that score is imported into the DB. If no v3 score is present, the v2 score is imported. In either case, the version of the CVSS score is now stored in the DB along with the score itself.

Resolves:

• Pull and store CVSSv3.0 and CVSSv3.1 base scores from NVD cyhy-system#60
• Use non-NVD CVSS 3 score when appropriate cyhy-system#64

This is part of the work for cisagov/cyhy-system#59.

Marking this PR as blocked until the CyHy team allows us to deploy it. Note that this PR should be deployed in conjunction with cisagov/cyhy-reports#76.

🧪 Testing

To test the updated cyhy-nvdsync code (1ad23ec and d5e722e), I ran it in my test environment and validated the following things:

• The script ran without error and took the roughly same amount of time as it took before these code changes.
• Every CVE that was imported received a cvss_version value (either "2.0", "3.0", or "3.1").
• CVEs were getting assigned the correct severities, i.e. a CVE scored as a 9.0 in CVSS 2.0 got severity 3 (High), while a CVE scored as a 9.0 in CVSS 3.0 or 3.1 got severity 4 (Critical).
• The same number of CVEs were imported both before (when it only imported CVSSv2 scores) and after these code changes. That isn't a 100% guarantee, but it's a good sign.

To test the updated ticket_manager.py code (2b81487 and 79d29f5), I deployed the code changes to my test environment and re-ran vulnerability scans for some hosts that previously had open tickets. I verified that their tickets were correctly updated with the new expected values for details.cvss_base_score, details.cvss_version, and details.severity. I also confirmed that no tickets were updated with unexpected or erroneous details.

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• Changes are limited to a single goal - eschew scope creep!
• All relevant type-of-change labels have been added.
• I have read the CONTRIBUTING document.
• These code changes follow cisagov code standards.
• All new and existing tests pass.

✅ Post-merge checklist

• Coordinate deployment plan with CyHy team.
• Deploy these changes to Production.

[jsf9k]

I had one minor suggestions, which you can take or leave. This looks good to me!

[jsf9k]

Still looks great to me!

[felddy]

Looks good. Had a couple of thoughts about severity to score mapping.

[mcdonnnj]

This looks pretty solid. I had a couple of suggestions that you can ignore if desired. I did have one question I would like answered though just in case I missed/misunderstood logic somewhere.

[mcdonnnj]

LGTM ✔