Invalid CVSS v2 vector output

[pandatix]

During differential fuzzing with github.com/pandatix/go-cvss, I discovered that your implementation emits CVSS v2 vectors that are invalid.

Indeed, you are outputing the CVSS v2 vector in ascendent order of metrics.
Nevertheless, the first.org specification states at Section 2.4 that a vector has a "predetermined order", documented in Table 13.

In order to be compliant, you must output metrics in the specified order.

The following Go code illustrates this issue.

package main

import (
	"fmt"
	"log"

	cvss "github.com/attwad/gocvss"
)

func main() {
	raw := "AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C"
	vec, err := cvss.Parse(raw)
	if err != nil {
		log.Fatal(err)
	}

	out := vec.ToStringVector()
	fmt.Printf("out: %v\n", out)
}

produces ->

out: A:C/AC:L/AV:N/Au:N/C:N/E:F/I:N/RC:C/RL:OF