Security vulnerability application is missing some CVEs

Apparently some extensions are improperly flagged as not impacted by CVE because the expected metadata are not present: e.g. commons-fileupload:commons-fileupload:1.5 won't be flagged as impacted by a CVE, because the provided CVSS is v4 and we currently cannot compute CVSS V4 and right now we filter out any vulnerability with a score of 0.

We should provide the capability to compute CVSS v4 scores and we should also ensure we don't discard vulnerability because of a missing score, as we have been able to find vulnerabilities without any CVSS score.