Configuring the Deps.dev, OSV.dev, and PaCE integrations for Software Bill of Materials

  • Release version: Xanadu
  • Updated February 28, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuring the Deps.dev, OSV.dev, and PaCE integrations for Software Bill of Materials

    This guide explains how to configure and manage the Deps.dev, OSV.dev, and Policy as Code Engine (PaCE) integrations within ServiceNow's Software Bill of Materials (SBOM) Response. These integrations help identify stale, abandoned, and vulnerable software components, enabling better risk management and compliance within your software supply chain.

    Show full answer Show less

    Deps.dev Integration

    • Purpose: Identifies components in stale or abandoned states based on version and time thresholds.
    • Configuration: The integration schedule can be modified under All > Vulnerability Response > Administration > Integrations > Deps.dev Integration. Editing requires the snvul.appconfigureintegrations role.
    • Thresholds: Stale and abandoned definitions are based on system properties, which can be adjusted at All > System Properties > All Properties. Key properties include:
      • snsbomresp.pkgabandonedthreshold
      • snsbomresp.pkgstalethreshold
      • snsbomresp.pkgstaleversionthreshold
    • Operation: The integration runs on a default weekly schedule and can be initiated manually from its integration record (not the on-demand code trigger version, which is for internal use only).
    • Data Access: Imported data is visible on the SBOM Workspace Home page and the BOM Queue module, stored in the Package Groups [snsbompkggroup] table.

    OSV.dev Integration - Comprehensive

    • Purpose: Provides vulnerability data for software components to identify security risks.
    • Configuration: Manage this integration at All > Vulnerability Response > Administration > Integrations > OSV.dev Integration - Comprehensive with the required snvul.appconfigureintegrations role.
    • Batch Size Parameter: The batchSize parameter controls the number of PURLs per API call (default 75), configurable under the Open Source Vulnerabilities Instance settings. Altering this may affect performance.
    • Operation: Activated by default and can be run on-demand from its integration record (distinct from the internal on-demand code-trigger version).
    • Data Access: Results are available on the SBOM Workspace Home page, Vulnerability tab on entity records, and the Libraries module. Data resides in Application Vulnerable Entries [snvulappvulentry] and National Vulnerability Database Entries [snvulnvdentry] tables.

    Code Trigger Integrations for Internal Workflows

    Two code-trigger versions of Deps.dev and OSV.dev integrations exist for internal workflow performance enhancements and must not be manually initiated via the Execute Now button. These are separate from the configurable scheduled and on-demand integrations.

    Policy as Code Engine (PaCE) Integration

    • Functionality: Starting with SBOM Response version 4.0, components identified as stale or abandoned are marked as ‘Non-compliant’ in the PaCE interface accessible via the SBOM Workspace.
    • Activation: The scheduled job Run PaCE policies for SBOM Response controls this feature and is deactivated by default.
    • Benefits: Enables automated policy enforcement and visibility of compliance status for SBOM components.

    Practical Considerations for ServiceNow Customers

    • Ensure you have the snvul.appconfigureintegrations role to configure and manage these integrations.
    • Do not manually trigger internal code-trigger integrations to avoid disrupting internal workflows.
    • Adjust stale and abandoned thresholds to align with your organization’s risk tolerance and software update policies.
    • Monitor imported data through the SBOM Workspace and relevant modules to stay informed about component status and vulnerabilities.
    • Activate and schedule the PaCE job to leverage automated compliance reporting on SBOM components.

    You can edit some of the parameters for the Deps.dev and OSV.dev integrations. There are also two code trigger versions of these integrations that are used strictly for internal workflows, and you should not initiate these integrations on-demand. Additionally, you can activate a scheduled job to create policies using Policy as Code Engine (PaCE).

    Code trigger integrations for internal workflows

    Starting with v3.2 of SBOM Response, performance enhancements included the addition of two OSV.dev and Deps.dev code-trigger integrations:
    • OSV Integration (on-demand code trigger)
    • Deps.dev Integration (on-demand code trigger)
    These integrations are initiated automatically by internal workflows and are for internal use only. Although you can locate them, you must not initiate these integrations on-demand with Execute Now button from their integration records.

    Configuring the run schedule for the Deps.dev Integration

    To modify the schedule, navigate to All > Vulnerability Response > Administration > Integrations > Deps.dev Integration. The sn_vul.app_configure_integrations role is required to edit the schedule of this integration.

    This Deps.dev integration is used to identify components that are in Stale and Abandoned states. A stale component's version is more than two major versions behind the latest version and two years behind the latest version. An abandoned component has not been updated for more than two years. The two year and two version thresholds can be edited with system properties. To edit these parameters, navigate to All > System Properties > All Properties and locate the following records:
    • sn_sbom_resp.pkg_abandoned_threshold
    • sn_sbom_resp.pkg_stale_threshold
    • sn_sbom_resp.pkg_stale_version_threshold

    The Deps.dev Integration is installed with SBOM Response. The integration is activated (Active check box selected on the integration record) by default and scheduled to run weekly. Note that this is not the on-demand Deps.dev code trigger integration, and you can edit the schedule and initiate the scheduled job on-demand from its integration record. .

    The threshold values for abandoned and stale are in months. The threshold value for version is numerical.

    You can view imported data on the Home page of the workspace and in the BOM Queue module. Imported data is stored in the Package Groups [sn_sbom_pkg_group] table.

    Configuring and initiating the OSV.dev Integration - Comprehensive

    To configure and initiate this integration, navigate to All > Vulnerability Response > Administration > Integrations > OSV.dev Integration - Comprehensive. The sn_vul.app_configure_integrations role is required.

    You can view imported data on the Home page of the workspace on the Vulnerability tab on records from the entities list and in the Libraries module. Imported data is stored in the Application Vulnerable Entries [sn_vul_app_vul_entry] and the National Vulnerability Database Entries [sn_vul_nvd_entry] tables.

    Note:
    You can configure the OSV.dev's batchSize integration parameter on the Integration Parameters tab on the Open Source Vulnerabilities Instance located at All > Vulnerability Response > Administration > Integrations > Vulnerability Integrations > Open Source Vulnerabilities Instance. The default is 75 Purls per API call.

    You might prefer to leave this value in its default setting. Altering the value might impact performance.

    The OSV.dev Integration - Comprehensive integration is installed with SBOM Response. The integration is activated (Active check box selected on the integration record) by default. Note that this is not the on-demand OSV.dev code trigger integration, and you must initiate this integration on-demand from its integration record.

    Activating PaCE

    Starting with version 4.0 of SBOM Response, you can view components that are identified as stale or abandoned as ‘Non-compliant’ in the Policy as Code Engine (PaCE) interface that is available in the SBOM Workspace.

    • Determine if components are stale or abandoned with the Run PaCE policies for SBOM Response scheduled job. This scheduled job is deactivated by default.
    • View components that are identified as stale or abandoned as Non-compliant in the PaCE interface that is available and viewed in the SBOM Workspace.

    See Integrating PaCE with other applications for more information about PaCE and PaCE policies.