Import of CycloneDX Scan fails if vulnerability description is missing

[k0mand1r]

Bug description
When uploading a CycloneDX report to DefectDojo (2.34.4) an error is throw over a missing description fields in the vulnerability section. As the documentation of CycloneDX does not mandate the description field to be present in the report this seems like a bug, because DefectDojo requires this field in the report.
The CycloneDX report is generated by Sonatype Lifecycle.

Steps to reproduce
Steps to reproduce the behavior:

1. Go to DefectDojo
2. Go to an engagement
3. Upload the sample file attached (petclinic-bom.xml)
4. See error:

Expected behavior
I would expect that the CycloneDX report would upload successfully if the 'desription' field is not mandatory.

Deployment method (select with an X)

• Docker Compose
• Kubernetes
• GoDojo

Environment information

• Official DefectDojo docker image from DockerHub
• DefectDojo version 2.34.4

Logs
16/May/2024 13:22:55] ERROR [dojo.api_v2.exception_handler:36] null value in column "description" of relation "dojo_finding" violates not-null constraint

Sample scan files
petclinic-bom.xml.md (Remove .md from the file)

Screenshots
![image](https://github.com/DefectDojo/django-DefectDojo/assets/13031028/92129d06-b19b-461e-bda2-68cd92ad909b

Additional context (optional)

• The issue was flagged previously in Import of CycloneDX Scan fails if description of CVE is missing #9277. It was supposedly fixed in DefectDojo 2.31.0
• It seems the fix was only applied to manage_vulnerability_legacy(). manage_vulnerability_legacy() is triggered on CycloneDX v1.0 exports, while _manage_vulnerability_xml() is used on newer versions. _manage_vulnerability_xml() does not yet set a default value for 'description'.
• Sonatype Lifecycle supports CycloneDx schema versions 1.4 and 1.5
• manage_vulnerability_legacy() (Legacy function)
• manage_vulnerabilty_xml() (New function)

[mtesauro]

FWIW, that sample file is valid per cyclonedx cli tool:

$ ./cyclonedx validate --input-file petclinic-bom.xml --input-format xml
BOM validated successfully.

And is schema version 1.5 per xmlns="http://cyclonedx.org/schema/bom/1.5"

[k0mand1r]

We know the sample file is valid. We have issues with importing it in DefectDojo, due to a missing description in the vulnerability fields. In the mentioned lines of the xml parser DefectDojo does not require a description in the manage_vulnerability_legacy() function, but does still check for it in the manage_vulnerabilty_xml() function.