CVSS 4.0 metric `description` fields are empty for most metrics

[ericfitz]

Bug: CVSS 4.0 metric description fields are empty for most metrics

Repository: https://github.com/org-metaeffekt/metaeffekt-universal-cvss-calculator
Library version observed: ae-cvss-calculator@1.0.12 (npm)

Summary

When using the CVSS 4.0 vector, the description property on most metric VectorComponent definitions is an empty string. This makes it impossible for downstream consumers to render help text/tooltips explaining each metric without supplying their own description data. The CVSS 2.0 and CVSS 3.x metric definitions in the same library populate description correctly.

Only the CVSS 4.0 AV (Attack Vector) metric appears to have a non-empty description; every other CVSS 4.0 metric ships with description: "".

Affected CVSS 4.0 metrics (description is empty)

Confirmed by inspecting node_modules/ae-cvss-calculator/dist/ae-cvss-calculator.js at v1.0.12:

• Base / Exploitability: AC, AT, PR, UI (note: AV is populated)
• Vulnerable System Impact: VC, VI, VA
• Subsequent System Impact: SC, SI, SA
• Threat: E
• Environmental — Security Requirements: CR, IR, AR
• Environmental — Modified Base: MAV, MAC, MAT, MPR, MUI, MVC, MVI, MVA, MSC, MSI, MSA
• Supplemental: S, AU, R, V, RE, U

The CVSS 2.0 / 3.x entries for the same short names (e.g. AC, PR, UI) ship with non-empty descriptions, so the bug is specific to the CVSS 4.0 metric registry.

Steps to reproduce

import { Cvss4P0 } from 'ae-cvss-calculator';

const cvss = new Cvss4P0();
for (const [category, components] of cvss.getRegisteredComponents()) {
  for (const c of components) {
    console.log(category.name, c.shortName, JSON.stringify(c.description));
  }
}

Expected: each metric prints a non-empty description string aligned with the CVSS v4.0 specification.

Actual: every metric except AV prints "".

Impact

Consumers building UIs around the library cannot render per-metric help text from the library's own metadata. We hit this in TMI-UX — our CVSS calculator dialog renders a help (?) icon next to each metric name with the description in a tooltip, and the tooltips were silently empty for CVSS 4.0.

Suggested fix

Populate the description field on each CVSS 4.0 metric in the library's metric registry using the wording from the CVSS v4.0 specification (section 2 — Base, Threat, Environmental, and Supplemental metric groups). The CVSS 3.x registry in this library appears to follow the same approach and can serve as a template for tone and length.

Environment

• ae-cvss-calculator: 1.0.12
• Node: (any)
• Browser: Chrome (also reproducible by direct inspection of the bundled module)