Need to identify and flag REJECTED CVEs

[mjherzog]

For the purls:

• pkg:maven/com.fasterxml.woodstox/woodstox-core@5.3.0
• pkg:maven/com.fasterxml.woodstox/woodstox-core@6.2.4

There are 4 REJECTED CVEs in the NVD:

• 2022-40153
• 2022-40154
• 2022-40155
• 2022-40156

For the purl: pkg:maven/com.thoughtworks.xstream/xstream@1.4.20 there are 2 REJECTED CVEs:

• 2022-40153
• 2022-40156

The real CVE for this vuln is 2022-40152

The NVD page for each REJECTED CVE says:

Rejected
CVE has been marked "REJECT" in the CVE List. These CVEs are stored in the NVD, but do not show up in search results.
Current Description
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage.

I found these cases from reviewing a VCIO report for a product so the cases are incidental.

We need to identify and flag REJECT CVEs. I am not sure how to report these cases or how common they are.
A first solution step should be to investigate how common REJECT CVEs are in the NVD.

[TG1999]

Done in #1232