CVSS v3 vector requires version prefix

[jrusnack]

According to the CVSS spec, one of the things that changed from CVSS v2 to v3 is a format of vector string (6. Vector String):

https://www.first.org/cvss/specification-document

Vector string now expects prefix in format CVSS: followed by CVSS version and separated from metric with /.

CVSS library accepts CVSS v3 vector string without this prefix (also examples in readme encourage this). This is likely a bug, not a feature - version prefix has it's purpose and loose implementation of specification can have pitfals down the road. For example, if CVSS v3.1 spec is out and it would contain changes in equations of how score is calculated, then

vector = 'S:C/C:H/I:H/A:N/AV:P/AC:H/PR:H/UI:R/E:H/RL:O/RC:R/CR:H/IR:X/AR:X/MAC:H/MPR:X/MUI:X/MC:L/MA:X'
c = CVSS3(vector)
print(c.scores())

how would library know whether v3.0 or v3.1 equations should be used ? Would cvss lib have to break it's api and implement another class, different for each version (i.e. c = CVSS3_1(vector)), in order to allow vectors without version prefix ?

Please fix cvss lib to refuse malformed CVSS v3 vector without version prefix.

[skontar]

Relevant part of specification:

The v3.0 vector string begins with the label "CVSS:" and a numeric representation of the current version, "3.0." Metric information follows in the form of a set of metrics, each metric being preceded by a forward slash, "/", acting as a delimiter. Each metric is a metric name in abbreviated form, a colon, ":", and its associated metric value in abbreviated form. The abbreviated forms are defined earlier in this specification (in parentheses after each metric name and metric value), and are summarized in the table below.

[skontar]

Please try https://github.com/skontar/cvss/tree/skontar_fix_mandatory_prefix branch to see if it fixes the problem. Thanks!

[jrusnack]

This seems to work (note that library version is not bumped :smiley: ) Thank you!