Creating rules for application vulnerable items in the Software Bill of Materials Workspace
Summarize
Summary of Creating rules for application vulnerable items in the Software Bill of Materials Workspace
To manage application vulnerable items (AVITs) effectively in the Software Bill of Materials (SBOM) Workspace, you must first create rules that define when AVITs are generated. AVITs represent vulnerabilities linked to third-party components within your applications, helping you assess and maintain application integrity. This capability requires both the SBOM Response and Vulnerability Response applications to be installed and activated.
Show less
Key Features
- AVIT Creation Rules: Users with the
snsbomresp.manageavirulerole can define rules that automatically create AVITs when imported SBOM data matches specified conditions, enabling proactive vulnerability tracking. - Viewing and Tracking AVITs: AVITs created in the SBOM Workspace can be viewed alongside other vulnerable items in the Vulnerability Manager Workspace, with options to filter specifically for SBOM AVITs using defined conditions.
- Integration with Known Vulnerability Lists: AVITs can be assigned remediation tasks based on recommendations from authoritative sources like the National Vulnerability Database (NVD).
- Automated Remediation Workflow: Remediation tasks (AVULs) are automatically created and assigned according to your configured assignment and remediation task rules, streamlining vulnerability resolution.
- Reopening Closed AVITs: Closed AVITs can reopen automatically if the vulnerability is detected again through scans or subsequent SBOM uploads, unless specific substates or system properties prevent reopening.
Practical Application for ServiceNow Customers
By setting up AVIT creation rules in the SBOM Workspace, you enable your instance to detect and track vulnerabilities in third-party components automatically. This setup allows for centralized visibility and management of application vulnerabilities, supporting efficient remediation through integrated workflows in the Vulnerability Manager Workspace. Automatic reopening of AVITs ensures ongoing vigilance for recurring vulnerabilities, while integration with known vulnerability databases and customizable assignment rules help prioritize and streamline remediation efforts.
Ensure the snsbomresp.reopenavitsifdetected system property remains activated if you want the system to reopen relevant AVITs automatically, supporting continuous risk monitoring.
Before you can see application vulnerable items (AVITs) in the Software Bill of Materials (SBOM) Workspace, you must set up the conditions under which AVITs are created.
AVITs in the SBOM Workspace
If you’ve installed and activated the SBOM Response application, AVITs are created for SBOM files if any of the imported data matches the conditions of your existing AVIT creation rules.
The SBOM Response and Vulnerability Response applications are required to set up rules for creating application vulnerable items (AVITs) automatically and remediating them with the Application Vulnerability Response workflow. See Exploring Software Bill of Materials for more information.
As a user with the sn_sbom_resp.manage_avi_rule role, you must add AVIT creation rules in the SBOM Workspace before you can create AVITs for the vulnerabilities that are found in your ingested SBOM data. AVITs enable you to evaluate the integrity of the third-party components in your applications. An AVIT is created in your instance when an application is matched to a component that has an associated vulnerability.
In the SBOM Workspace, you can view only SBOM AVITs. However You can view SBOM AVITs along with other types of vulnerable items in the Vulnerability Manager Workspace in Vulnerability Response. You can view all the AVITs that have been created in the SBOM Workspace in the List Module. The list module also includes all the NVD and CWE entries and Application Vulnerabilities.
You can also assign AVITs for remediation based on recommendations from known vulnerability lists such as the National Vulnerability Database (NVD). A scheduled job is triggered, and if the conditions of your creation rules match the ingested data, AVITs are created.
You can track and remediate AVITs by setting up customized rules.
See Create an application vulnerable item rule in the Software Bill of Materials Workspace for information about how to create a rule.
SBOM AVITs in Vulnerability Manager Workspace in Vulnerability Response
You can view any SBOM AVITs that are created in the SBOM Workspace in the Vulnerability Manager Workspace if you have access to it.
For more information about the Vulnerability Manager Workspace, how to view watch topics, application remediation efforts, and application remediation task rules for AVITs that are configured from the Vulnerability Response application in the Vulnerability Manager Workspace, see Use watch topics in the Vulnerability Manager Workspace.
Remediation tasks (AVULs) are created from AVITs and assigned automatically to groups for remediation based on your assignment rules. For more information about how to create these rules, see the following topics:
Reopening application vulnerable items in SBOM Response
- The AVIT with the associated vulnerability is detected again by a third-party integration's vulnerability scans or the component with the vulnerability is part of a subsequent SBOM upload.
- You have not deactivated the Reopen AVITs if detected (sn_sbom_resp.reopen_avits_if_detected) system property. This system property is activated by default.
- The substate of the Closed AVIT is not one of the following: Mitigation Control in Place, Not Affected, or False Positive. AVITs with these substates are not reopened by the system property.
Deactivate this system property only if you do not want Closed AVITs to reopen automatically.