Managing state mapping for deferrals and false positives in Application Vulnerability Response

Release version: Yokohama

Updated January 30, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of Managing state mapping for deferrals and false positives in Application Vulnerability Response

This feature in Application Vulnerability Response (AVR) Yokohama release allows ServiceNow customers to control how source states from vulnerability scanner integrations (Veracode and Fortify) are mapped to target states within their ServiceNow instance. This capability enhances triaging flexibility for imported Application Vulnerable Items (AVIs), enabling better management of exceptions (deferrals) and false positives through ServiceNow workflows.

Show full answer Show less

Key Features

Exception (Deferral) Management:
- Source states such as "Will Not Fix," "Remediation Deferred," "Risk Accepted," and "Risk Mitigated" from Fortify are mapped to a Deferred target state with substates like "Risk Accepted."
- Customers can choose to manage exceptions within ServiceNow using the Exception Management workflow. When enabled (default), AVIs mapped to Deferred are triaged as exceptions, requiring explicit exception requests via the AVI record UI.
- If this option is disabled, the source states are preserved and mapped directly to Deferred states without triggering the exception workflow, and the Request Exception UI action is hidden.
False Positive Management:
- Source states such as "False Positive" or "Potential False Positive" from Veracode are mapped to Closed target states with a False Positive substate.
- When managing false positives in ServiceNow (default enabled), AVIs with these source states are triaged through the Exception Management workflow, mapped instead to an Open triage target state, and allow users to request False Positive status via the UI action.
- If disabled, these AVIs retain their source states, are mapped directly to Closed with a False Positive reason, bypass the false positive workflow, and the False Positive UI action is not available.

What This Enables for ServiceNow Customers

Greater control over how vulnerabilities imported from external scanners are triaged and tracked within ServiceNow.
Ability to enforce formal workflows for managing deferrals and false positives, ensuring compliance and auditability via exception requests.
Flexibility to preserve original scanner states if customers prefer simpler state mappings without additional workflow triage.
Improved visibility and actionability of vulnerability status through UI actions, aligned with customer governance processes.

You can manage how the Source states on application vulnerable items (AVIs) imported by the Veracode Vulnerability Integration and Fortify Vulnerability Integration are mapped in your instance after import.

Starting with v20.0 of Vulnerability Response, you have more options for triaging your imported AVIs with ServiceNow workflows.

When you Configure the Fortify on Demand Vulnerability Integration or the Configure the Veracode Vulnerability Integration, the integration configuration pages provide you with two options to help you manage exceptions and false positives in your instance.

Manage exceptions in ServiceNow
Manage false positives in ServiceNow

Role required: App-Sec Manager.

Use case for Exception management

AVIs are imported from these integrations with Source states. Upon import, these state are mapped to Target and Target reason states in your instance, because in some cases there are no exact matches between the source states of your scanner and the states used by your instance.

For example, source states such as Will Not Fix, Remediation Deferred, Risk Accepted, and Risk Mitigated from the Fortify on Demand Vulnerability Integration are mapped to the Deferred state with a substate of Risk Accepted or Mitigating Control in Place in your instance.

You have the following options on the configuration pages for these integrations:


Option	Check box selected	Description
Manage exceptions in ServiceNow	Y (by default)	If you leave this option selected, you must request exceptions from AVI records. Imported AVIs marked for the Deferred state are triaged with the ServiceNow Exception Management workflow. AVIs with Source states that normally are mapped to a Deferred state are mapped to the Target triage state in the Open state.
	N	If you deactivate the check box, you preserve the Source states imported from your scanner. These AVIs are mapped to the Target state as Deferred, and to a Target reason state in your instance. They are not triaged by the exception workflow, because they are not mapped to the Target triage state and Target triage reason states. The Request Exception UI action is not available on the AVI record, because the record already in the Deferred Target state.

Use case for False positive

For false positives from the Veracode Vulnerability Integration as an aexample, source states such as False Positive or Potential False Positive are mapped to the Closed Target state with a substate of False Positive.


Option	Check box selected	Description
Manage false positives in ServiceNow	Y (by default)	If you leave this option selected, you must request a False Positive from AVI records. Imported AVIs marked for the False Positive or Potential False Positive states are triaged with the ServiceNow Exception Management workflow. AVIs with Source states that normally are mapped to a Closed Target state are mapped to a Target triage state in Open. The False Positive UI action is available on the AVI record.
	N	If you deactivate the check box, you preserve the Source states imported from your scanner. These AVIs are mapped to the Target state as Closed and a Target reason state in False Positive in your instance. They are not triaged by the false positive workflow. The False Positive UI action is not available on the AVI record, because the record is already in the Closed Target state.