Code review comment for ~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/add_impact_field

One question:

I see the example json here includes, in addition to the base v3 vector, the exploitabilityScore and impactScore fields, which aren't included in our stored vectors in the CVE tracker, and are not computed as part of cve_lib.parse_cvss(). I see them also referenced in the web team API change for this at https://github.com/canonical/ubuntu-com-security-api/pull/121/files.

I don't see them being computed in the publish-cves-to-website-api.py script, so (a) where are they coming from, and (b) if they aren't coming from the script, is that going to cause a problem when submitting cves with this change?

Also, can you add comments noting that the cvss3 variable contains just the computd base score, and the impact field contains the full base vector? I know that now, but in two weeks I will surely have forgotten, and will likely be confused if I have to diagnose any problems with this script more than two weeks from now.

Thanks!