For a recent Vulnerability report of approximately 250 purl-CVE vulnerabilty combinations almost half were missing a Severity score (field value = NA) which is a critical deficiency for prioritizing investigation or remediation of vulnerabilities. A few cases are legitimate because the CVE has been rejected - see #1221, but in the other cases I checked there is one or more cvssv3.1 scores in the NVD (NIST:NVD and/or CNA: Google etc.). In a few cases it appear the the original CVE record did not have a cvssv3.1 value but in most cases the cvssv3.1 data is part of the original record based on the Change History. Note the cvssv3.1 data is the set of metrics not the derived numeric score.

We need to improve our CVE data collection to ensure that we capture the current Severity data and enable some tracking for adding Severity data if it was not available when we first collected a CVE or changed after we collected it.