Container Vulnerability Response remediation tasks and task rules overview

  • Release version: Yokohama
  • Updated May 13, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Container Vulnerability Response remediation tasks and task rules overview

    Container Vulnerability Response (CVR) remediation tasks help analysts and remediation specialists efficiently organize and manage container vulnerable items (CVITs). These tasks group CVITs based on configured criteria, allowing bulk analysis, progress monitoring, and streamlined remediation.

    Show full answer Show less

    Starting in version 2.13, users can remove incorrect assignments directly from CVIT and remediation task records, improving accuracy in task ownership.

    The system also tracks the number of deferrals for vulnerable items and remediation tasks, highlighting those deferred multiple times for better risk management.

    Remediation Task Rules

    Remediation task rules define how CVITs are automatically grouped and assigned into remediation tasks. The base system includes a default rule grouping CVITs by vulnerabilities, but rules can be customized using fields accessible from CVITs, such as configuration item (CI) and vulnerability entry.

    • Multiple conditions can be combined, with up to six "Group by" selections to fine-tune grouping logic.
    • Assignment automation is supported, enabling tasks to be assigned based on risk severity or other criteria.
    • When a CVIT is created, imported, or reopened, rules evaluate it once to determine task grouping, creating new remediation tasks or adding to existing ones as appropriate.
    • Task names are generated by appending group values to create descriptive short descriptions (limited to 160 characters).
    • Default assignment of remediation tasks aligns with the CVIT assignment group, controlled further by Vulnerability Response assignment rules.

    Deleting a remediation task rule optionally removes all Open tasks created by that rule, while Closed or other states remain unaffected.

    Reapplying and Evaluating Rules

    Changes to remediation task rules can be applied retroactively by using the Reapply function, which deletes and recreates Open remediation tasks based on updated rules. This process does not affect tasks outside the Open state.

    Vulnerability admins and analysts can more efficiently evaluate remediation task rules for selected CVITs within the Vulnerability Manager Workspace, avoiding the slower classic UI process.

    CVIT Creation, Updates, and State Management

    • CVITs are created when a configuration item from a scan matches a known vulnerability and are immediately evaluated against remediation task rules.
    • Updates to properties relevant to task grouping on CVITs trigger reevaluation, potentially moving CVITs between tasks or creating new tasks.
    • State changes on remediation tasks roll down to associated CVITs instantly when moving to Open or Under Investigation states.
    • State rollup from CVITs to remediation tasks occurs only when all CVITs share the same Deferred or Closed-fixed state, processed by a scheduled job every 15 minutes.

    Additional Features

    • Auto-close rules: Enable automatic closure of older CVITs based on configured filter conditions, helping maintain focus on current vulnerabilities.
    • Assignment removal: Users can clear the Assigned to and Assignment group fields on CVITs and remediation tasks when assignments are incorrect, improving task accuracy.

    Practical Benefits for ServiceNow Customers

    This functionality allows ServiceNow customers to automate and tailor the grouping and assignment of container vulnerabilities, ensuring remediation efforts are prioritized and organized according to risk and operational needs. It enhances visibility into remediation progress, supports efficient task management, and reduces manual workload through automation and rule-based processes.

    Configure remediation tasks (CVULs) to help analysts and remediation specialists organize container vulnerable items (CVIT) and analyze them in bulk. The criteria by which remediation tasks are formed are configured so that CVITs are automatically assigned into remediation tasks. Using remediation tasks, you can monitor progress and drive the remediation process more efficiently.

    Removing assignments from container vulnerable items and remediation tasks

    Starting with version 2.13, you can clear the Assigned to and Assignment group fields on container vulnerable items (CVITs) directly from the CVIT and remediation task records that you determine might be incorrectly assigned to you or your groups.

    See Removing assignments from container vulnerable items and remediation tasks and Remove assignments from vulnerable items and remediation tasks for more information.

    Tracking deferral counts for container vulnerable items and remediation tasks

    Track the number of times a vulnerable item, application vulnerable item, container vulnerable item, or remediation task is deferred. The set deferral counts scheduled job runs daily to post counts for the records that are deferred more than once in the Deferral count column. Records are displayed in the Multiple deferrals modules for VR, AVR, and CVR.

    Understanding remediation task rules

    Remediation task rules enable you to define how container vulnerable items are automatically grouped and assigned. A default rule Vulnerability is included in the base system that gathers CVITs based on their vulnerabilities. However, you can group by any other set of values in columns accessible from the CVIT. These values could include configuration item (CI), vulnerability entry, and the like.

    There are task rules for Container Vulnerability Response that are included with the Vulnerability Response application that is available when you activate it.

    You can create multiple conditions with the condition builder. In the Group by section, after you set a field pair, another row appears. You can have up to six Group by selections. You can automate group assignment as well.

    For example, you can group your container vulnerable items by the configuration item, or by the product model. You can have one task rule for low severity vulnerabilities or low risk CIs. You can have another task rule for critical servers, and vulnerabilities that expose the company to more risk. See Create, edit, and delete Container Vulnerability Response remediation task rules for more information about the options that you have available to you.

    A different set of rules can be used for container vulnerable items that expose the company to more risk. The remediation task name is appended to the remediation task rule Group by values to make the short description of the new record.

    When a new container vulnerable item is created, imported, or reopened after being closed, the rules are evaluated against it. A CVIT is only evaluated once, automatically, unless it's reopened after being closed or the rules are reapplied manually.

    The following process is used for each new or reopened CVIT:
    • For each remediation task rule, the CVIT is compared to the remediation task rule filter.
    • For each rule where the remediation task rule condition matches, the rule pulls the data from the Group by selections on the CVIT. It builds a group name and field. In this case, High Risk: QID-32342:Summary of QID-3242 (Name: vulnerability ID: vulnerability summary).
      Note:
      The short description field is limited to 160 characters. Longer vulnerability summaries are truncated.
    The rule checks to see if there's a matching Open remediation task that is assigned to the same assignment group as the CVIT.
    • If the task is found, the CVIT is added to the existing task in the Open State.
    • If no task in the Open state is found, the rule creates a High Risk: QID-32342 task, assigns it to the same assignment group as the CVIT, and places the CVIT in the remediation task.

    More than one remediation task rule can be defined to group different kinds of vulnerabilities. Since each vulnerability is compared with the remediation task rule conditions before putting it in a remediation task, too many rules might impact performance. Set up your task rules so the conditions help you avoid creating duplicate remediation tasks.

    By default, remediation task rules use the assignment group set by the Assignment Rules on the CVIT when grouping the items and assigns the remediation task to match the CVITs.

    As part of the default task rule, the assignment of these remediation tasks is controlled by the rules in the Assignment Rules module. For more information on assignment rules, see Vulnerability Response assignment rules overview.

    When a task rule is deleted from the form or list view, you have the option to delete all Open tasks created by that rule. Tasks not in the Open State are excluded.

    Reapplying remediation task rules

    When you want to change a remediation task rule, use the Reapply button on the remediation task rule page to rerun the changed rule on all active Open remediation tasks created by that rule. It deletes and recreates remediation tasks based on the changed rule automatically.

    Reapply only checks existing remediation tasks.

    After you select Reapply, the following message is displayed: Reapplying this remediation task rule will delete and re-create the remediation tasks for this rule. Remediation tasks that are not in the Open State aren’t deleted.

    Important:
    As a vulnerability admin and analyst, you can evaluate the remediation task rules for selected vulnerable items in the Vulnerability Manager Workspace. This method is more efficient than reapplying the Remediation Task Rules in the classic UI, which is a time-consuming process. For more information, see Re-evaluate the remediation properties of the records in the Vulnerability Manager Workspace.

    Remediation task rules and CVIT creation and update

    If a CI from a scan is associated with a known vulnerability, a CVIT is created. After it's created, the CVIT is evaluated against the conditions of remediation task rules for a match. If there’s a match to an existing remediation task, the CVIT is added. If a matching remediation task isn’t found, one is created for the CVIT.

    If any property that is captured in the remediation task filtering conditions is updated or changed on a CVIT, the updated AVI is also evaluated against the remediation task rules for a match. If there’s a match to an existing remediation task, the CVIT is added. If a matching remediation task isn't found, one is created for the CVIT.

    State rollup and rolldown

    If you update a remediation task to Open, or from Open to Under Investigation, the new state rolls down to all associated CVITs. State roll down occurs immediately after you change the State.

    State rollup from CVITs to the remediation task only occurs if all the CVITs on the task are in Deferred or Closed- fixed states. Rollup is done with the Rollup container vulnerable item values to vulnerability and a group-scheduled job, which runs every 15 minutes. The state is not rolled up until the job runs. For a State to roll up to occur from the CVITs to the remediation task, all the CVITs must be in the same State.