Another Improper Input Validation in CVSS v3 parsing

[pandatix]

After #10, I fuzzed again the implementation and discovered that other invalid inputs did not raise errors.
This could be categorized as CWE-20.

For instance, the following Go code does not produce any error.

package main

import (
	"fmt"

	"github.com/goark/go-cvss/v3/metric"
)

func main() {
	vec, err := metric.NewEnvironmental().Decode("CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:0/A:H")

	fmt.Printf("vec: %v\n", vec)
	fmt.Printf("err: %v\n", err)
}

produces ->

vec: &{0xc0000ba000 X X X X X X X X X X X}
err: <nil>

The CVSS v3.1 vector is invalid because A is defined twice, but as one is valid, there is no error raised.

You can check this input is invalid, using the official first.org calculator which does not give scores despite base metrics being all defined, or by looking at the specification Table 15 which shows the A (Availability) metric can't be 0.

[spiegel-im-spiegel]

Relese v1.4.0