Add GHSA CVSS scores to VCIO data

[mjherzog]

With the significant NVD backlog for assigning Severity Scores to CVEs, alternate sources like GHSA are even more important.
VCIO currently provides only a qualitative CVSS v3 score - LOW, MODERATE, HIGH or CRITICAL even though GHSA also provides a numeric score.

With some help from John H I now understand that the qr in the csvssv3.1_qr scores we report means "qualitative rating" which is fine except that the score in this case is for/from cvss v4.

We also need the numeric cvss scores with an accurate label of the cvss version for that score. It seems that we are in a transition period where we will see a cvss v3.1x score for older vulnerabilities and a cvss v4 score for newer vulnerabilities.

For example the data at GHSA-wm9w-rjj3-j356 for VCID-yktk-48uz-aaac shows both "HIGH" and "8.7" as severity scores. VCIO should report both the qualitative and numeric scores as cvss v4. Some other examples are:

• GHSA-735f-pc8j-v9w8 for VCID-7ffu-u28q-bqgw
• GHSA-78wr-2p64-hpwj for VCID-bbcg-ujrw-77gc
• GHSA-wm9w-rjj3-j356 for VCID-yktk-48uz-aaac

The key use case is where an organization uses a numeric severity threshold to prioritize vulnerabilities and need alternate CVSS information where it is not available from the NVD.

With the advent of our own Vulnerability Risk scoring across the AboutCode stack we need to ensure that the underlying data is accurate and complete.