fix: missing CVEs by switching to cve 2.0 (#5172)

[gluesmith2021]

Most CVE prior to 2018 are missing from cve 1.1 data, and this can be very problematic when retrieving CVEs for older software.

Issue #5172 seemed stale, so I went on fix it. CVE 2.0 parsing/formatting was already implemented for api2 NVD data retrieval (although the latter seems broken now for an unrelated reason: 403 forbidden on dashboard/statistics. This is out of scope for this PR). Therefore, it looks like minimal changes were required to make the switch. Namely, checking for "rejected" CVE didn't work with any rejected CVEs I've seen so far, so I used what seemed to be the proper field to check.

Updated tests in this PR seem to run fine with LONG_TESTS=1 and EXTERNAL_SYSTEM=1.

I'm not sure about:

• what else should be tested to "prove" the switch to 2.0 is correct
• what are the plans for the 1.1 related code (1.1 code was left there for now)

[gluesmith2021]

Note: I won't be available for comments/replies/changes until later this month. Sorry in advance for the delay.