vehemont
CVE.metrics attribute is not treated as dict
The metrics attribute of the CVE class is treated as type nvdlib.classes.CVE instead of a dict, despite documentation stating otherwise. I'm not sure if this is intended behavior, or if it's a documentation issue. Though out of scope for this issue, a similar behavior comes up when accessing the individual items in the following attributes:
- descriptions
- cwe
- cpe
The invidual items in the list are treated as type nvdlib.classes.CVE instead of dict
Documentation
Behavior in environment (using python 3.13.2 and nvdlib 0.8.0)
Expected Behavior:
Metrics variable functions as type dict
Looking at it further, classes.py also includes this discrepancy. Under Class CVE, metrics is described as both a dict and a class object
:var metrics: Class attribute containing scoring lists (cvssMetricV31 / V30 / V2).
:vartype metrics: class
:var weaknesses: Contains relevant CWE information.
:vartype weaknesses: list
:var configurations: List containing usually a single element of CPE information.
:vartype configuration: list
:var references: CVE reference links
:vartype references: list
:var cwe: Common Weakness Enumeration Specification (CWE)
:vartype cwe: list
:var url: Link to additional details on nvd.nist.gov for that CVE.
:vartype url: str
:var cpe: Common Platform Enumeration (CPE) assigned to the CVE.
:vartype cpe: list
:var metrics: CVSS metrics. Some CVEs may not have v2/v3 scores or none at all.
:vartype metrics: dict