GHSA entry reports incorrect scoring system for 2024 vulnerabilities

[mjherzog]

For VCID-yktk-48uz-aaac, VCIO does not report a CVSS score for https://nvd.nist.gov/vuln/detail/CVE-2024-34750.
This is correct for CVSS v4 but there is a CVSS v3.x score available.
We do not want to collect CVSS v2 data, but we will need to deal with both v3.x and v4 scores for at least the near future.

[DennisClark]

In general I think that we always collect CVSS v3.x scores. Perhaps the bug here is that we are not collecting the "ADP: CISA-ADP" score when there is no "NVD" score. See screenshot.

[mjherzog]

Good point - I missed that possibility but in any case we need to document/qualify what score we are collecting.
And it seems to be the case that we should be collecting CISA-ADP scores esp. in light of the NIST issues.
https://www.cve.org/Media/News/item/blog/2024/06/04/CISA-Added-as-CVE-Authorized-Data-Publisher
And we need to prepare for / starting collecting v4.0 scores.