Application Vulnerability Response product view

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Application Vulnerability Response Product View

    The Application Vulnerability Response (AVR) product provides a unified view of vulnerabilities detected by application security testing tools, enabling organizations to assess and manage the security posture of their applications effectively. AVR includes workflows for risk remediation and aligns with the core Common Service Data Model (CSDM) framework for improved functionality.

    Show full answer Show less

    Key Features

    • Updated Terminology: AVR v19.0 introduces revised names for key tables and columns, integrating with CSDM 4.0. For instance, "CI lookup rules" are now referred to as "Lookup rules".
    • Product Model Integration: AVR now uses Product Model tables for vulnerability ingestion, facilitating a more structured approach based on the application version.
    • System Property Configuration: Users can switch between using the Product Model and Configuration Item lookup processes by setting the system property snvul.useproductmodel to true or false.
    • Lookup Rules: Users can define lookup rules based on either Configuration Item or Product Model to create entries in the relevant tables.
    • Discovered Applications Table: This table lists applications identified by scanners, with visibility into corresponding product models if the system property is enabled.

    Key Outcomes

    By implementing AVR with the CSDM 4.0 framework, customers will benefit from improved vulnerability management, clearer visibility into their application landscape, and streamlined remediation processes. Ensure proper system property settings to leverage the new product model-based lookup capabilities for optimal results. Customers should also verify configurations to avoid duplicate records, ensuring efficient vulnerability tracking and management.

    The Application Vulnerability Response (AVR) product ingests the weaknesses and vulnerabilities detected by your application security testing tools and provides a single pane of glass to understand the security posture of all the applications in your environment.

    AVR enables you to reduce the risks with the remediation workflows. The objective of this product view is to help you understand how AVR key entities work with the core CSDM framework.

    Updated terminology

    Starting with AVR v19.0, the following key table and column names have been updated. As a result, you will see references to both the older and newer names in the documentation.

    Table 1. Updated list of terms, table, and field names for AVR
    Prior to AVR v19.0 Starting from AVR v19.0
    CI lookup rules Lookup rules
    CI lookup rule form Lookup rule form
    CI matching rule Matching rule
    Search on table Search on CI table
    Search on field Search on CI field
    Application release Discovered applications
    Application release table Discovered applications table
    Business criticality Source business criticality

    Prerequisites

    Install the latest versions of the following applications:
    • Security Support Common
    • Vulnerability Response
    • Security Integration Framework
    • Security Support Orchestration
    • Scanner integrations such as Veracode and Fortify

    AVR and CSDM 4.0

    Prior to AVR v19.0, when application vulnerabilities were ingested, the application for which the vulnerabilities were ingested were looked up using the CI lookup rules, against the Scanned Applications (sn_vul_app_scanned_application). If the application name record was not there, an entry would be made.

    Starting from AVR v19.0, to align with the CSDM 4.0 framework, the Product Model tables are used instead of the Scanned Applications table. If the application has the version, the lookup is against the Software Model table. If there is no version, the lookup is against the Application Model table. Both Application Model and Software Model are child tables of the Product Model table, that is the foundation table in CMDB. The following screenshot explains the Product Model.

    System property

    To use the CSDM 4.0 product model-based lookup process, set the system property sn_vul.use_product_model to true.

    Table 2. System property considerations
    System property name System property value Lookup target value Considerations
    sn_vul.use_product_model true Select the value Product model New users should select the value Product model to use the CSDM 4.0 framework's Product model lookup rules.
    false Select the value Configuration item Existing users can continue using the CI lookup process and the existing CI lookup rules.
    Note:
    To set the lookup target value, navigate to the Lookup Rule page > [AVR integration lookup rule] > Lookup target field.

    Lookup rules in AVR

    In the CSDM 4.0 framework, product model-based lookup rules are used instead of CI lookup rules to create entries into the respective product model classes. Similarly for scripts, you can define the lookup rules within the framework of the CSDM 4.0 model.

    Starting from AVR v19.0, while creating a lookup rule, you must define whether you want to use the configuration item or product model approach using the Lookup target field. For more information, see Create a CI lookup rule.

    Discovered applications

    Navigate to All > Discovered Applications. The Discovered Applications table displays the applications ingested from the scanners. If the system property sn_vul.use_product_model is set to true, you can see the corresponding product models for the applications.

    AVR considerations

    Presence of duplicate CI or product model records

    Verify that the system property sn_vul.use_product_model has been correctly configured for the lookup process. Ensure that you select either Configuration item or Product model as the Lookup target while configuring the Lookup rule form.