Keep content in rejected CVE Record

[zmanion]

Currently when a record is rejected, the description is replaced with template text and sometimes a brief explanation. A rejected record uses different JSON (cnaRejectedContainer) and any content in a published record (cnaPublishedContainer) is lost. adpContainer would be lost too. History might be retained in the cvelist GitHub respository.

Consider in the future keeping any existing content when rejecting a record. This requires both non trivial JSON schema changes and services/backend changes.

[zmanion]

CVEProject/cve-schema#139

[zmanion]

This remains an issue, I (and I expect others) could have used the original information in CVE-2024-42992. Changing the schema for rejected IDs removes useful information. This becomes more of a concern as ADP containers will be removed also.

Proposal for rejecting a record

In the schema/services:

1. Set status to rejected
2. Require an explanation field
3. Store the rejected datetime
4. Do not modify any other content

In the cve.org rendering:

1. Prominently convey rejected status and the explanation, perhaps even hide the original content/containers until the user twists them open

In policy:

1. Require an explanation
2. Require the Secretariat and CNA-LR (and maybe others?) to prominently convey rejected status when rendering CVE Record content, similar to

4.5.3.11 CVE Program members MUST indicate “disputed” status and present the explanation when rendering and displaying CVE Record data.