Don't panic on zero-length NVD description_data array fields (#21250)

#21242

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)

QA'd manually (see repro scenario in the linked bug). Happy to dig into
adding tests here if it's worth the time to build them now that the
upstream data feed has been patchd.

changes/21242-nvd-input-validation

@@ -0,0 +1 @@
+Continue with an empty CVE description when the NVD CVE feed doesn't include description entries (instead of panicking)

server/vulnerabilities/nvd/sync.go

@@ -216,9 +216,10 @@ func LoadCVEMeta(ctx context.Context, logger log.Logger, vulnPath string, ds fle
 			}
 			schema := vuln.Schema()
 
-			meta := fleet.CVEMeta{
-				CVE:         cve,
-				Description: schema.CVE.Description.DescriptionData[0].Value,
+			meta := fleet.CVEMeta{CVE: cve}
+
+			if len(schema.CVE.Description.DescriptionData) > 0 {
+				meta.Description = schema.CVE.Description.DescriptionData[0].Value
 			}
 
 			if schema.Impact.BaseMetricV3 != nil {