Document CVE ID rejection better

[zmanion]

From a discussion on Slack, better document how to reject a CVE ID.

An example: CVEProject/cvelist#8836

1. There are Services API calls
2. How is the description text generated?

The template text looks old:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: <something>. Reason: <some reason>. Notes: <some notes>.

Another example, web site shows description text: https://www.cve.org/CVERecord?id=CVE-2023-25694

Description is not present in JSON: https://cveawg.mitre.org/api/cve-id/CVE-2023-25694

If nothing else, update template text to no longer talk about "candidate number."

Possibly include description text in JSON, as it may be informative.

[zmanion]

The text goes in (comes from?) container.cna.rejectedReasons, is this automatically produced?

https://github.com/CVEProject/cvelistV5/blob/main/preview_cves/2023/25xxx/CVE-2023-25694.json

[darakian]

A question just to drive this. What is allowed/required for the description field? The min_reject schema seems to just want a string, but in practice all cves in the reject state seem to begin with ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.. Is this a legacy practice or is this a requirement?

ex. https://github.com/CVEProject/cvelist/blob/0305178d6104eb4291da37386a8b4738347cb0c2/2012/5xxx/CVE-2012-5847.json

Given that the state of the cve is set to REJECT it seems awkward to require that a description begin with a specific string but also every one of them that I can find does begin with that string.