fix: missing CVEs by switching to cve 2.0 (#5172)

[gluesmith2021]

Most CVE prior to 2018 are missing from cve 1.1 data, and this can be very problematic when retrieving CVEs for older software.

Issue #5172 seemed stale, so here's an attempt at fixing the issue. CVE 2.0 parsing/formatting was already implemented for api2 NVD data retrieval (although the latter seems broken now for an unrelated reason: 403 forbidden on dashboard/statistics. This is out of scope for this PR). Therefore, it looks like minimal changes were required to make the switch. Namely, the existing way of checking for "rejected" CVE didn't work for most actually rejected CVEs and what seems to be the proper field is now checked instead.

Updated tests in this PR seem to run fine with LONG_TESTS=1 and EXTERNAL_SYSTEM=1.

I'm not sure about:

• what else should be tested to "prove" the switch to 2.0 is correct
• what are the plans for the 1.1 related code (1.1 code was left there for now)

[gluesmith2021]

As of today, CI says one check fails :

Testing / Tests that may fail due to network or HTML (pull_request) Failing after 2m

This didn't fail 2-3 weeks ago when I created the pull request. Cause is the NVD mirror that is missing some files. For instance:

• https://v4.mirror.cveb.in/nvd/json/cve/2.0/nvdcve-2.0-2006.meta exists
• but https://v4.mirror.cveb.in/nvd/json/cve/2.0/nvdcve-2.0-2006.json.gz does not

Test fails on trying to fetch the latter.

Note that for some other years in this folder, .json.gz is there but .meta is missing (they were all there back on August 8). This does not crash any test though because years without a .meta file are not processed at all, but this prevents those years from being downloaded in a normal cve-bin-tool usage.

Now...

• I have no idea who maintains this mirror and why it is now missing a few files.
• How do cve-bin-tool maintainers treat this pull-request that sometimes fails on variable external data?