Configuring the Deps.dev, OSV.dev, and PaCE integrations for Software Bill of Materials

  • Release version: Yokohama
  • Updated February 28, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuring the Deps.dev, OSV.dev, and PaCE integrations for Software Bill of Materials

    This guide explains how to configure and manage the Deps.dev, OSV.dev, and Policy as Code Engine (PaCE) integrations within the Software Bill of Materials (SBOM) Response application in ServiceNow Yokohama release. These integrations help identify stale and abandoned software components and assess compliance through automated vulnerability and policy evaluations.

    Show full answer Show less

    Deps.dev Integration

    • The Deps.dev integration identifies components as stale or abandoned based on version and update thresholds.
    • Default thresholds classify stale components as those two major versions and two years behind the latest, while abandoned components have no updates for over two years; these thresholds are configurable via system properties.
    • The integration comes activated by default and is scheduled to run weekly, but you can modify its run schedule and execute it on-demand from the integration record.
    • Requires the snvul.appconfigureintegrations role to edit schedules and settings.
    • Imported data is viewable in the SBOM Workspace Home page, BOM Queue module, and stored in the Package Groups [snsbompkggroup] table.
    • Note that there is a separate on-demand code trigger version for internal workflows which should not be manually triggered.

    OSV.dev Integration - Comprehensive

    • This integration is activated by default and can be run on-demand from its integration record (not the internal on-demand code trigger version).
    • It requires the snvul.appconfigureintegrations role for configuration and initiation.
    • Imported vulnerability data appears in the SBOM Workspace Home page (Vulnerability tab), the Libraries module, and is stored in Application Vulnerable Entries [snvulappvulentry] and National Vulnerability Database Entries [snvulnvdentry] tables.
    • The batch size for API calls (default 75 PURLs) can be adjusted in the Open Source Vulnerabilities Instance settings, but changing this may impact performance.

    Policy as Code Engine (PaCE) Activation

    • Starting with SBOM Response version 4.0, components identified as stale or abandoned are marked as Non-compliant in the PaCE interface within the SBOM Workspace.
    • This compliance evaluation is enabled by activating the scheduled job Run PaCE policies for SBOM Response, which is disabled by default.
    • PaCE integration provides a policy-driven approach to managing component compliance related to SBOM data.

    Important Notes on Internal Code Trigger Integrations

    • Deps.dev and OSV.dev have internal on-demand code trigger versions introduced for performance and internal workflows starting with SBOM Response v3.2.
    • These internal integrations must not be manually initiated by customers via the Execute Now button.
    • Customers should use the standard scheduled or on-demand integrations for their use cases.

    You can edit some of the parameters for the Deps.dev and OSV.dev integrations. There are also two code trigger versions of these integrations that are used strictly for internal workflows, and you should not initiate these integrations on-demand. Additionally, you can activate a scheduled job to create policies using Policy as Code Engine (PaCE).

    Code trigger integrations for internal workflows

    Starting with v3.2 of SBOM Response, performance enhancements included the addition of two OSV.dev and Deps.dev code-trigger integrations:
    • OSV Integration (on-demand code trigger)
    • Deps.dev Integration (on-demand code trigger)
    These integrations are initiated automatically by internal workflows and are for internal use only. Although you can locate them, you must not initiate these integrations on-demand with Execute Now button from their integration records.

    Configuring the run schedule for the Deps.dev Integration

    To modify the schedule, navigate to All > Vulnerability Response > Administration > Integrations > Deps.dev Integration. The sn_vul.app_configure_integrations role is required to edit the schedule of this integration.

    This Deps.dev integration is used to identify components that are in Stale and Abandoned states. A stale component's version is more than two major versions behind the latest version and two years behind the latest version. An abandoned component has not been updated for more than two years. The two year and two version thresholds can be edited with system properties. To edit these parameters, navigate to All > System Properties > All Properties and locate the following records:
    • sn_sbom_resp.pkg_abandoned_threshold
    • sn_sbom_resp.pkg_stale_threshold
    • sn_sbom_resp.pkg_stale_version_threshold

    The Deps.dev Integration is installed with SBOM Response. The integration is activated (Active check box selected on the integration record) by default and scheduled to run weekly. Note that this is not the on-demand Deps.dev code trigger integration, and you can edit the schedule and initiate the scheduled job on-demand from its integration record. .

    The threshold values for abandoned and stale are in months. The threshold value for version is numerical.

    You can view imported data on the Home page of the workspace and in the BOM Queue module. Imported data is stored in the Package Groups [sn_sbom_pkg_group] table.

    Configuring and initiating the OSV.dev Integration - Comprehensive

    The OSV.dev Integration - Comprehensive integration is installed with SBOM Response. The integration is activated (Active check box selected on the integration record) by default. Note that this is not the on-demand OSV.dev code trigger integration, and you must initiate this integration on-demand from its integration record.

    To configure and initiate this integration, navigate to All > Vulnerability Response > Administration > Integrations > OSV.dev Integration - Comprehensive. The sn_vul.app_configure_integrations role is required.

    You can view imported data on the Home page of the workspace on the Vulnerability tab on records from the entities list and in the Libraries module. Imported data is stored in the Application Vulnerable Entries [sn_vul_app_vul_entry] and the National Vulnerability Database Entries [sn_vul_nvd_entry] tables.

    Note:
    You can configure the OSV.dev's batchSize integration parameter on the Integration Parameters tab on the Open Source Vulnerabilities Instance located at All > Vulnerability Response > Administration > Integrations > Vulnerability Integrations > Open Source Vulnerabilities Instance. The default is 75 Purls per API call.

    You might prefer to leave this value in its default setting. Altering the value might impact performance.

    Activating PaCE

    Starting with version 4.0 of SBOM Response, you can view components that are identified as stale or abandoned as ‘Non-compliant’ in the Policy as Code Engine (PaCE) interface that is available in the SBOM Workspace.

    • Determine if components are stale or abandoned with the Run PaCE policies for SBOM Response scheduled job. This scheduled job is deactivated by default.
    • View components that are identified as stale or abandoned as Non-compliant in the PaCE interface that is available and viewed in the SBOM Workspace.

    See Integrating PaCE with other applications for more information about PaCE and PaCE policies.