Invalid CVSS v3 environmental score computation

[pandatix]

Still while fuzzing the implementation, I discovered that environmental scores were not computed properly, leading to invalid scores.
For instance, the following Go code computes the three scores and prints them.

package main

import (
	"fmt"
	"log"

	"github.com/goark/go-cvss/v3/metric"
)

func main() {
	vec, err := metric.NewEnvironmental().Decode("CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N/MS:C")
	if err != nil {
		log.Fatal(err)
	}

	b, t, e := vec.Base.Score(), vec.Temporal.Score(), vec.Score()
	fmt.Printf("Scores: %.1f;%.1f;%.1f\n", b, t, e)
}

produces ->

Scores: 5.4;5.4;6.4

You can check this input is valid, using the official first.org calculator but then computes an environmental score of 6.5.

[spiegel-im-spiegel]

Relese v1.4.4