Introduce logic for cvss_v4 severity

[onshi]

Hello Team,

I would like to introduce logic for properly rating severity for vulnerabilities which are estimated using only CVSS:4.0. This is a followup to rubysec/ruby-advisory-db#654

Currently vulnerabilities which are estimated using only CVSS:4.0 are using default fallback and are being marked as severity:unknown.

According to specification docs I think severity did not change between 3.0 and 4.0 standards

• https://www.first.org/cvss/v3-0/specification-document
• https://www.first.org/cvss/v4-0/specification-document

I did some refactoring based on code climate suggestions

Here is an example:

• SAML vulnerabilities

Using bundler-audit:0.9.2

Name: ruby-saml
Version: 1.17.0
CVE: CVE-2025-25293
GHSA: GHSA-92rq-c8cf-prrq
Criticality: Unknown
URL: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-92rq-c8cf-prrq
Title: Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses
Solution: update to '~> 1.12.4', '>= 1.18.0'

Using bundler-audit:0.10.0

Name: ruby-saml
Version: 1.17.0
CVE: CVE-2025-25293
GHSA: GHSA-92rq-c8cf-prrq
Criticality: High
URL: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-92rq-c8cf-prrq
Title: Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses
Solution: update to '~> 1.12.4', '>= 1.18.0'

Let me know if there is anything else I should adjust