Fixes score discrepency due to temporal and environmental metric

[sachin-sandhu]

Proposed changes

When a CVSS 3.0 or 3.1 vector contains only base metrics (no temporal or environmental metrics), overall_score incorrectly returns the environmental score instead of the base score. This produces scores that differ from the NIST NVD Calculator and the FIRST CVSS Calculator. See issue

Test Coverage

spec/cvss_metric_spec.rb (new — 15 tests)

Unit tests for the new CvssMetric#explicitly_provided? method:

Context	Assertions
CVSS 3.1 base-only vector	base → true, temporal → false, environmental → false
CVSS 3.1 with temporal metrics	temporal → true, environmental → false
CVSS 3.1 with environmental metrics	temporal → false, environmental → true
CVSS 3.1 with temporal + environmental	temporal → true, environmental → true
CVSS 3.1 with env modifiers all X but requirement metrics set (CR:M/IR:L/AR:H)	temporal → true, environmental → true
CVSS 2 base-only vector	base → true, temporal → false, environmental → false
CVSS 3.0 base-only vector	temporal → false, environmental → false

spec/cvss31/cvss31_spec.rb (9 new tests)

Validates correct overall_score routing for CVSS 3.1:

Scenario	Vector	Expected overall_score
Base-only, Scope: Changed	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H	9.6 (= base_score)
Base-only, Scope: Changed	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	7.6 (= base_score)
Base-only, Scope: Changed	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H	9.0 (= base_score)
Base-only, Scope: Changed	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H	8.8 (= base_score)
Base-only, Scope: Changed	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H	9.0 (= base_score)
Base-only, Scope: Unchanged	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	8.8 (= base_score)
Temporal-only, Scope: Changed	CVSS:3.1/.../E:H/RL:T/RC:C	9.3 (= temporal_score)
Temporal-only, Scope: Changed	CVSS:3.1/.../E:P/RL:O/RC:R	8.3 (= temporal_score)
Environmental-only, Scope: Changed	CVSS:3.1/.../CR:L/IR:M/AR:H/MAV:N/...	7.3 (= environmental_score)

spec/cvss3/cvss3_spec.rb (4 new tests)

Validates the same fix applies to CVSS 3.0:

Scenario	Vector	Expected overall_score
Base-only, Scope: Changed	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H	9.6 (= base_score)
Base-only, Scope: Changed	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	7.6 (= base_score)
Base-only, Scope: Changed	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H	9.0 (= base_score)
Temporal-only, Scope: Changed	CVSS:3.0/.../E:H/RL:T/RC:C	9.3 (= temporal_score)

All expected scores verified against the FIRST CVSS 3.1 Calculator and NVD Calculator.

Total: 28 new tests added, full suite passes (81,132 examples, 0 failures).

Types of changes

What types of changes does your code introduce to CvssSuite?
Put an x in the boxes that apply

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR.

• Unit tests pass locally with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Further comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...