Fortify Application Vulnerability Integration release notes

  • Release version: Store
  • Updated June 11, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Fortify Application Vulnerability Integration release notes

    The Fortify Application Vulnerability Integration enables ServiceNow customers to import and manage application vulnerabilities from Fortify on Demand within the ServiceNow Vulnerability Response application. This integration helps prioritize and remediate vulnerabilities specific to application versions, supporting effective application security management aligned with ServiceNow’s platform security and CSDM standards.

    Show full answer Show less

    Key Features

    • Version-specific vulnerability mapping: Vulnerabilities are accurately assigned to specific application releases by using both application ID and release ID, improving precision in vulnerability tracking.
    • Security enhancements: Query ACLs at the table and field level ensure compliance with ServiceNow platform security guidance.
    • Automated workflows: Manage exceptions and false positives directly within ServiceNow using default activation of triage workflows for application vulnerable items (AVIs).
    • Product model support: New lookup rules support Configuration Management Database (CSDM) compliance for scanned applications and product models.
    • Integration monitoring: View detailed processing times and reports for integration runs to monitor performance and health.
    • Auto-close capability: Supports auto-closing of application vulnerable items to streamline vulnerability lifecycle management.
    • Configuration flexibility: Buffer times and other parameters are configurable via instance parameters and system properties for tailored integration behavior.
    • Remediation task creation: Allows manual creation of remediation tasks for AVIs to facilitate coordinated vulnerability resolution.

    Practical Benefits for ServiceNow Customers

    • Improved accuracy: Ensures vulnerabilities are correctly linked to the right application versions, avoiding misleading vulnerability data across releases.
    • Enhanced security compliance: Aligns integration security settings with ServiceNow platform standards to protect sensitive vulnerability data.
    • Streamlined operations: Automated exception and false positive management workflows reduce manual triage effort and accelerate remediation cycles.
    • Greater visibility: Detailed integration run metrics enable proactive management and troubleshooting of vulnerability data imports.
    • Alignment with IT best practices: Supports CSDM standards for product modeling, improving asset and vulnerability correlation within ServiceNow.

    Implementation Notes

    • One-time cleanup and re-import of application and vulnerability lists may be required after upgrading to version 2.7.1 or later to ensure accurate version mapping.
    • Translation updates ensure locale-specific language support activates automatically without manual instance repair.
    • Security and customization fix scripts are designed to run once per upgrade to avoid redundant processing.

    Version history for the Fortify Application Vulnerability Integration on the ServiceNow Store.

    Important:
    For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

    Version history

    Version 31.0.1 - June 2026 (USEM)
    • The following enhancements and changes support internal security directives:
      • Query ACLs added at the table-level and field wildcard for the Fortify app-import staging table [sn_vul_fortify_app_import] to align with ServiceNow Platform Security guidance.
      • Preload and customization-detection fix scripts run exactly once per upgrade.
      • Translation packaging updated so newly activated locales automatically pick up Fortify-specific translations without requiring an instance repair.
    Version 2.7.1 - September 2025
    • Fixed:
      • Resolved the incorrect consolidation of vulnerabilities across different application releases in the Fortify On-Demand Integration. Previously, vulnerabilities were assigned using only the application ID, ignoring the release ID, causing all versions of an application to show identical vulnerability data.
      • The integration now correctly uses both application ID and release ID to assign vulnerabilities to their specific application versions.
      • One-time cleanup needs to be performed for the AVITs from Fortify and re-run both the application list and vulnerability list integrations to ensure accurate version-specific vulnerability mapping.
    Version 2.6.0 - May 2025
    Fixes.
    Version 2.5.0 - November 2024
    Minor fixes for this release.
    Version 2.4.2 - August 2024
    Changed: The [sn_vul_fortify.buffer_hours] property has been removed from system properties and added to the Fortify Vulnerability Integration instance parameters.
    Version 2.3.3 - June 2024
    New: Auto close for application vulnerable items is supported for the Fortify integrations.
    Version 2.3.1 - May 2024
    Changed: View details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records.
    Version 2.2.2 - February 2024
    • New:
      • You can reapply your configuration item (CI) lookup rules to update existing CIs (scanned applications and product models).
      • Manually create remediation tasks (AVULs) for application vulnerable items (AVITs) from remediation task records on the Group Configuration tab.
    • Fixed: Buffer time is a configurable parameter with the sn_vul_veracode.import_starttime_buffer system property. The buffer, in hours, is subtracted from Start Time (delta_start_time). The scanner imports results at the new derived delta start time.
    Version 2.2.1 - November 2023
    • New:
      • The manage exceptions in ServiceNow and manage false positives in ServiceNow options on the Fortify configuration page can help you triage your imported application vulnerabilities with ServiceNow workflows. These options are activated by default.
        • Manage exceptions in ServiceNow triages application vulnerable items (AVI) with the ServiceNow Exception management workflow. AVIs transition to Open, and you request exceptions from AVI records. Deactivate the option to preserve the Source states on AVIs imported from Fortify.
        • Manage false positives in ServiceNow triages false positives with the ServiceNow False positive workflow. AVIs transition to Open, and you request false positives from AVI records. Deactivate the option to preserve the Source states on AVIs imported from Fortify.
    Version 2.1.0 - August 2023 (Vancouver)
    New: New: A new product model lookup rule is activated by the system property, Use Product Model [sn_vul.use_product_model]. This rule supports CSDM.
    Version 2.0.2 - March 2022
    The Vulnerability Response integration with the Fortify on Demand product imports applications and application vulnerabilities to use with Application Vulnerability Response. Application Vulnerability Response is a feature in the ServiceNow Vulnerability Response application that helps you prioritize and remediate application vulnerabilities.