Code review comment for ~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/add_impact_field

> One question:
>
> I see the example json here includes, in addition to the base v3 vector, the
> exploitabilityScore and impactScore fields, which aren't included in our
> stored vectors in the CVE tracker, and are not computed as part of
> cve_lib.parse_cvss(). I see them also referenced in the web team API change
> for this at https://github.com/canonical/ubuntu-com-security-
> api/pull/121/files.

Hmm, both are calculated in parse_cvss, right?
https://git.launchpad.net/ubuntu-cve-tracker/tree/scripts/cve_lib.py#n2993

This link is the result of the PR I sent to fix the problem of not accepting the impact data.

>
> I don't see them being computed in the publish-cves-to-website-api.py script,
> so (a) where are they coming from, and (b) if they aren't coming from the
> script, is that going to cause a problem when submitting cves with this
> change?
>
> Also, can you add comments noting that the cvss3 variable contains just the
> computd base score, and the impact field contains the full base vector? I know
> that now, but in two weeks I will surely have forgotten, and will likely be
> confused if I have to diagnose any problems with this script more than two
> weeks from now.

Sure, I'll add a comment.

>
> Thanks!