Application Vulnerable Item (AVI) states

  • Release version: Yokohama
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Application Vulnerable Item (AVI) states

    Application Vulnerability Response provides a state model to track the status of Application Vulnerable Items (AVIs) at any given time. Understanding these states helps ServiceNow customers effectively manage and remediate vulnerabilities detected in their applications by third-party scanners like Fortify.

    Show full answer Show less

    AVI State Flow and Actions

    The State field in an AVI is read-only and maps to remediation statuses imported from third-party tools. The key states and their functionalities include:

    • Open: Initial state when an AVI is created. From here, you can get detailed vulnerability info, mark as false positive, request exception (defers remediation), resolve, or close the AVI.
    • Deferred: Triggered by requesting an exception and enters an approval workflow before further actions. Allows viewing vulnerability details and similar actions as Open.
    • Under Investigation: Indicates active analysis. Allows manual transition to Awaiting Implementation, or actions like marking false positive, requesting exceptions, resolving, or closing.
    • Awaiting Implementation: Manually set once a fix is ready but not yet implemented. Allows transitioning back to Open or Under Investigation, and then resolving or closing after implementation.
    • Resolved: Set when an issue has been remediated. Notes and resolution info are recorded here. Can be reopened or closed.
    • Closed: Final state when remediation is complete and verified. Can be reopened if necessary.

    Transitions between these states support workflows like false positive marking, exception requests, and closure with required documentation.

    Application Remediation Task States

    Remediation tasks linked to AVIs also have defined states that reflect their progress:

    • States in precedence order: Closed > Deferred > Resolved > In Review > Awaiting Implementation > Under Investigation > Open
    • The state changes as remediation actions are performed, similar to Host Remediation Tasks.
    • Starting with version 23.0, the Close button for remediation tasks is removed to ensure scanner-driven closure, improving automation and accuracy.

    Practical Implications for ServiceNow Customers

    • Understanding AVI states enables better tracking and management of vulnerabilities through their lifecycle.
    • State transitions orchestrate remediation workflows including approvals for exceptions and handling false positives.
    • The integration with third-party scanners like Fortify ensures imported data drives state changes and remediation efforts.
    • Application Remediation Tasks' states align with AVI states, enabling coherent tracking of remediation progress.
    • Automation improvements in newer releases reduce manual closure errors and increase remediation accuracy.

    Application Vulnerability Response offers a state model for the status of your application vulnerable items (AVIs), at any given time. Knowing how each state relates to and affects each other helps you to determine when and how to remediate your AVIs.

    Application Vulnerable Item states

    Understanding how states work helps with creating or editing application vulnerable item (AVI) rules. AVIs have several possible states that are mapped from imported Remediation status from the third-party integration. In an AVI, the State field is read-only.

    Table 1. Application Vulnerability Response state flow diagram
    State Description
    Open State upon creation. From this state you can:
    V16: Get More Details
    Get the following information about an AVI imported from Fortify:
    • Vulnerability summary
    • Vulnerability explanation
    • Recommendation
    • References
    • Request
    • Response
    V16: Mark as false positive
    Mark an item as false positive if the scanner reports that a vulnerability exists in the system, but in reality there is no vulnerability.
    V16: Request exception
    Request an exception, a reopen (Until) date, a reason, and optionally, provide addition information. Defers the remediation of the item until the date till which an exception is requested.
    V15: Close
    Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI.
    V15: Resolve
    Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
    Deferred V15: This is triggered by the Request Exception option. As part of the approval workflow, the Deferred state is In Review and cannot be closed until approved.

    From this state you can:

    V16: Get More Details
    Get the following information about an AVI imported from Fortify:
    • Vulnerability summary
    • Vulnerability explanation
    • Recommendation
    • References
    • Request
    • Response
    Reopen
    Transitions a closed or resolved AVI back to an Open state.
    Close
    Select the Closed state, a reason, and provide addition information. Closes the AVI.
    Under Investigation Select this option from the State list. From this state you can:
    V20.0
    Manually transition a remediation task or AVI record to Awaiting Implementation.
    V16: Get More Details
    Get the following information about an AVI imported from Fortify:
    • Vulnerability summary
    • Vulnerability explanation
    • Recommendation
    • References
    • Request
    • Response
    V16: Mark as false positive
    Mark an item as false positive if the scanner reports that a vulnerability exists in the system, but in reality there is no vulnerability.
    V16: Request exception
    Request an exception, a reopen (Until) date, a reason, and optionally, provide addition information. Defers the remediation of the item until the date till which an exception is requested.
    V15: Close
    Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI.
    V15: Resolve
    Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
    Awaiting Implementation

    You can only transition records to this state manually by selecting Awaiting Implementation from AVI and remediation task records in the Under Investigation state. From this state you can:

    Open
    Transitions AVI back to an Open state.
    Under Investigation
    Get more information for resolution. Transitions to Under Investigation.
    Resolve
    Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
    Close
    Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI.

    In this state, Transition a record into Awaiting Implementation when your research and work on a task is complete and although a fix is ready for implementation, it is not yet available.

    Set the Remediation Commitment date and Remediation plan fields.

    After implementation, you resolve or close the records.
    Resolved Triggered from the Resolve button. From this state you can:
    V16: Get More Details
    Get the following information about an AVI imported from Fortify:
    • Vulnerability summary
    • Vulnerability explanation
    • Recommendation
    • References
    • Request
    • Response
    Reopen
    Transitions back to an Open state.
    Close
    Select the Closed state, a reason, and provide addition information. Closes the group.

    Notes and Resolution information appear under the Notes tab.
    Closed Triggered from the Close button. From this state you can:

    Reopen: Transitions back to an Open state.
    Note:
    Refer to the Integrating Application Vulnerability Response with other applications for understanding different integrations that sourced the AVI.

    Application Remediation Task states

    From the creation to closure of an Application Remediation Task, the Application Remediation Task transitions through various states during the entire remediation process.

    The state precedence is as follows:

    Closed > Deferred > Resolved > In Review > Awaiting Implementation > Under Investigation > Open

    The state transition happens as you perform various actions such as Defer, Open, Close, etc.

    The actions you can perform on an Application Remediation Task at a specific state is similar to that of a Host Remediation Task. Hence, for more information, see the Vulnerability Response remediation task states and State roll-up and roll-down scenarios in the Vulnerability Response documentation.

    Note:
    Starting with v23.0 of Vulnerability Response, the Close button has been removed to ensure that the closure of the Remediation task is driven by the scanner.