Identify applications in Application Vulnerability Response automatically

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Identify applications in Application Vulnerability Response automatically

    Application Vulnerability Response (AVR) automatically identifies applications when vulnerability data is imported from third-party integrations by matching application data against the Configuration Management Database (CMDB). This process uses Configuration Item (CI) Lookup Rules to associate application vulnerable item (AVI) records with the correct applications, facilitating accurate vulnerability remediation.

    Show full answer Show less

    How Application Identification Works

    • During import, AVR searches the Scanned Application [snvulappscannedapplication] table using sourceappid and appname to find existing application matches from previous imports.
    • If an application ID match is found, the matched application’s details populate the Application and Application Release fields in the AVI record.
    • If no match is found or the application ID is empty, additional application information is used to attempt identification.
    • If still unmatched, a placeholder scanned application record is created with only the Application Name and Application ID fields.

    CI Lookup Rules

    • CI Lookup Rules define how AVR matches applications to the CMDB records and are evaluated in order based on their assigned priority (lowest Order value first).
    • The process stops once a single matching CI is found; if a rule returns multiple matches, only the first is used.
    • By default, two rules—Source Application Id and Application Name—are included with the Veracode Vulnerability Integration.
    • When a match occurs, the CI lookup rule used is recorded in the CI matching rule field on Scanned Applications to aid in traceability.
    • To manage visibility, users can add the CI matching rule field to the Scanned Application list view using the Update Personalized List option.

    Best Practices and Considerations

    • CI Lookup Rules are specific to source integrations and can be domain separated; each deployment of a vulnerability integration maintains its own rule set.
    • Rules are shared across all deployments of the same integration, so changes or deletions affect all deployments.
    • Rules should be carefully designed and tested to prevent performance degradation during imports, as matching logic can be resource-intensive and slow.
    • Rather than deleting rules, deactivate them to preserve configuration and allow recovery if needed.
    • Testing custom or modified CI Lookup Rules is strongly recommended to avoid duplicates, orphaned records, and data inconsistencies.

    Practical Impact for ServiceNow Customers

    By leveraging automatic application identification through CI Lookup Rules in Application Vulnerability Response, customers can streamline vulnerability management by accurately linking vulnerabilities to existing CMDB applications. This reduces manual effort, improves remediation accuracy, and helps maintain clean and consistent data within the CMDB. Proper rule management and testing ensure optimal system performance and data integrity during vulnerability data imports.

    When data is imported from a third-party integration, Application Vulnerability Response automatically uses application data to search for matches in the Configuration Management Database (CMDB). It does this using CI Lookup Rules. These rules identify applications for the application vulnerable item (AVI) record to aid in remediation.

    As applications are imported, a lookup is performed on the Scanned Application [sn_vul_app_scanned _application] table using source_app_id and app_name to find matches to applications from prior imports. When an application ID match is found, its values are used in the Application and App release fields in the application vulnerable item record.

    If a match is not found, or the application ID field is empty, the rules use the other application information to attempt to correctly identify the application. If a match is still not found, a placeholder scanned application record is created with only Application name and Application ID fields.

    The Source Application Id and Application Name lookup rules are shipped with the Veracode Vulnerability Integration, by default.

    Note:
    Default CI lookup rules for Application Vulnerability Response are available only for the Veracode Vulnerability Integration.
    When attempting a match, the lookup rules are evaluated by lowest Order value first. They stop when a rule returns a single CI as a match.
    Note:
    If a rule is created in such a way that it returns more than one CI, only the first match is used.

    To make it easier to find matching issues, when a match is found, the CI lookup rule used to find it is added to the CI matching rule field for Scanned Applications. Click the Update Personalized List gear gear icon icon at the top of the Scanned Application list view to add it to the view.

    Note:
    Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.
    CI lookup rules can be domain separated and are source-specific. If supported, each source could have multiple deployments. For example, the Veracode Vulnerability Integration, can have multiple deployments of the Veracode Vulnerability Integration. Each deployment has its own set of CI Lookup Rules.
    Note:
    CI lookup rules are shared by all deployments of the vulnerability integration. If a rule is deleted or modified, the deletion or changes affect all deployments of the vulnerability integration.

    Importing vulnerability data can be taxing on an instance and performance issues with resources can occur if rules are not carefully constructed. The logic used to iterate through and perform matching within the CMDB can result in lengthy processing times. To avoid any potential degradation of resources or performance complications, test any custom-written CI Lookup Rules or modifications to pre-defined CI Lookup Rules. See Prevent duplicate or orphaned records after running Application Vulnerability Response CI lookup rules for more information on preventing duplicate orphan records, deleting data, and cleaning up data.