Application Vulnerable Item (AVI) states

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Application Vulnerable Item (AVI) States

    The Application Vulnerability Response provides a structured state model for managing Application Vulnerable Items (AVIs). Understanding these states is crucial for effective remediation of vulnerabilities as it enables users to track the status of AVIs and take appropriate actions at various points in the remediation process.

    Show full answer Show less

    Key Features

    • State Management: AVIs can be in several states, including Open, Resolved, Closed, Deferred, and Under Investigation, among others. Each state allows specific actions, such as marking an item as a false positive or requesting an exception.
    • State Transitions: Users can transition AVIs through different states based on actions taken, such as resolving, closing, or deferring items. The flow helps manage and prioritize remediation tasks effectively.
    • Integration with Third-party Tools: The states are mapped from imported remediation statuses from third-party integrations, providing a comprehensive view of vulnerability management.

    Key Outcomes

    By leveraging the state model, ServiceNow customers can:

    • Quickly identify the status of AVIs and understand the necessary next steps for remediation.
    • Utilize the structured state transitions to manage AVIs efficiently, ensuring that vulnerabilities are addressed in a timely manner.
    • Gain insights from detailed information about vulnerabilities, including summaries, explanations, recommendations, and references, facilitating informed decision-making.

    Application Vulnerability Response offers a state model for the status of your application vulnerable items (AVIs), at any given time. Knowing how each state relates to and affects each other helps you to determine when and how to remediate your AVIs.

    Application Vulnerable Item states

    Understanding how states work helps with creating or editing application vulnerable item (AVI) rules. AVIs have several possible states that are mapped from imported Remediation status from the third-party integration. In an AVI, the State field is read-only.

    Table 1. Application Vulnerability Response state flow diagram
    State Description
    Open State upon creation. From this state you can:
    V16: Get More Details
    Get the following information about an AVI imported from Fortify:
    • Vulnerability summary
    • Vulnerability explanation
    • Recommendation
    • References
    • Request
    • Response
    V16: Mark as false positive
    Mark an item as false positive if the scanner reports that a vulnerability exists in the system, but in reality there is no vulnerability.
    V16: Request exception
    Request an exception, a reopen (Until) date, a reason, and optionally, provide addition information. Defers the remediation of the item until the date till which an exception is requested.
    V15: Close
    Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI.
    V15: Resolve
    Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
    Deferred V15: This is triggered by the Request Exception option. As part of the approval workflow, the Deferred state is In Review and cannot be closed until approved.

    From this state you can:

    V16: Get More Details
    Get the following information about an AVI imported from Fortify:
    • Vulnerability summary
    • Vulnerability explanation
    • Recommendation
    • References
    • Request
    • Response
    Reopen
    Transitions a closed or resolved AVI back to an Open state.
    Close
    Select the Closed state, a reason, and provide addition information. Closes the AVI.
    Under Investigation Select this option from the State list. From this state you can:
    V20.0
    Manually transition a remediation task or AVI record to Awaiting Implementation.
    V16: Get More Details
    Get the following information about an AVI imported from Fortify:
    • Vulnerability summary
    • Vulnerability explanation
    • Recommendation
    • References
    • Request
    • Response
    V16: Mark as false positive
    Mark an item as false positive if the scanner reports that a vulnerability exists in the system, but in reality there is no vulnerability.
    V16: Request exception
    Request an exception, a reopen (Until) date, a reason, and optionally, provide addition information. Defers the remediation of the item until the date till which an exception is requested.
    V15: Close
    Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI.
    V15: Resolve
    Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
    Awaiting Implementation

    You can only transition records to this state manually by selecting Awaiting Implementation from AVI and remediation task records in the Under Investigation state. From this state you can:

    Open
    Transitions AVI back to an Open state.
    Under Investigation
    Get more information for resolution. Transitions to Under Investigation.
    Resolve
    Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
    Close
    Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI.

    In this state, Transition a record into Awaiting Implementation when your research and work on a task is complete and although a fix is ready for implementation, it is not yet available.

    Set the Remediation Commitment date and Remediation plan fields.

    After implementation, you resolve or close the records.
    Resolved Triggered from the Resolve button. From this state you can:
    V16: Get More Details
    Get the following information about an AVI imported from Fortify:
    • Vulnerability summary
    • Vulnerability explanation
    • Recommendation
    • References
    • Request
    • Response
    Reopen
    Transitions back to an Open state.
    Close
    Select the Closed state, a reason, and provide addition information. Closes the group.

    Notes and Resolution information appear under the Notes tab.
    Closed Triggered from the Close button. From this state you can:

    Reopen: Transitions back to an Open state.
    Note:
    Refer to the Integrating Application Vulnerability Response with other applications for understanding different integrations that sourced the AVI.

    Application Remediation Task states

    From the creation to closure of an Application Remediation Task, the Application Remediation Task transitions through various states during the entire remediation process.

    The state precedence is as follows:

    Closed > Deferred > Resolved > In Review > Awaiting Implementation > Under Investigation > Open

    The state transition happens as you perform various actions such as Defer, Open, Close, etc.

    The actions you can perform on an Application Remediation Task at a specific state is similar to that of a Host Remediation Task. Hence, for more information, see the Vulnerability Response remediation task states and State roll-up and roll-down scenarios in the Vulnerability Response documentation.

    Note:
    Starting with v23.0 of Vulnerability Response, the Close button has been removed to ensure that the closure of the Remediation task is driven by the scanner.