cve: Gracefully handle bogus CVE entries.

Fixes <https://bugs.gnu.org/47941>.
Reported by Jack Hill <jackhill@jackhill.us>.

* guix/cve.scm (reference-data->cve-references): Gracefully handle lack
of "reference_data".
(cpe-match->cve-configuration): Gracefully handle lack of "cpe23Uri".

guix/cve.scm

@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -99,7 +99,9 @@
 
 (define (reference-data->cve-references alist)
   (map json->cve-reference
-       (vector->list (assoc-ref alist "reference_data"))))
+       ;; Normally "reference_data" is always present but rejected CVEs such
+       ;; as CVE-2020-10020 can lack it.
+       (vector->list (or (assoc-ref alist "reference_data") '#()))))
 
 (define %cpe-package-rx
   ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
@@ -137,6 +139,9 @@ package."
         (starte (assoc-ref alist "versionStartExcluding"))
         (endi   (assoc-ref alist "versionEndIncluding"))
         (ende   (assoc-ref alist "versionEndExcluding")))
+    ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
+    ;; has a configuration that lacks it.
+    (and cpe
          (let-values (((package version) (cpe->package-name cpe)))
            (and package
                 `(,package
@@ -147,7 +152,7 @@ package."
                           (starte `(> ,starte))
                           (endi   `(<= ,endi))
                           (ende   `(< ,ende))
-                     (else   version)))))))
+                          (else   version))))))))
 
 (define (configuration-data->cve-configurations alist)
   "Given ALIST, a JSON dictionary for the baroque \"configurations\"