[CVEDB] Why does the function metric_finder returns unknown or a metrics_id

[jloehel]

@Rexbeast2 I don't really get the function metric_finder? The function checks basically if the CVSS_version can be mapped to an existing metrics_id but why unknown ? The metric_finder should return a metrics_id.

cve-bin-tool/cve_bin_tool/cvedb.py

Lines 642 to 643 in 7d0d8c8

	if cve["CVSS_version"] == "unknown":
	metric = "unknown"

It would make more sense to add a fourth entry to the table metrics called unknown with the id 0 and skip the db check.

METRICS = [
    (0, "UNKNOWN"),
	(1, "EPSS"),
	(2, "CVSS-2"),
	(3, "CVSS-3"),
]

The IDs a predefined and will not change. Something like this should be enough, right?

...
UNKNOWN_METRIC_ID = 0
SUPPORTED_METRIC_VERSIONS = [CVSS_2_METRIC_ID, CVSS_3_METRIC_ID]

def version2metrics_id(self, version):
    if version not in SUPPORTED_METRIC_VERSIONS:
        logger.warning(f"Unsupported metric version: {version}")
        return UNKNOWN_METRIC_ID
    return version
...
                cursor.execute(
                    insert_cve_metrics,
                    [
                        cve["ID"],
                        self.version2metrics_id(cve["CVSS_version"]),
                        cve["score"],
                        cve["CVSS_vector"],
                    ],
                )