Understanding the NVD integrations

  • Release version: Yokohama
  • Updated January 30, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding the NVD integrations

    The NVD integrations in ServiceNow leverage data from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) to help you assess and prioritize vulnerabilities in your code. These integrations work with Vulnerability Response to import and enrich vulnerability data, including Common Vulnerabilities and Exposures (CVE) and Common Platform Enumeration (CPE) information.

    Show full answer Show less

    It is essential to run these integrations during the initial setup of Vulnerability Response and before importing vulnerability data from third-party scanners like Qualys. The integrations run as scheduled jobs, typically daily or weekly, to keep your vulnerability data current and synchronized.

    Key Features

    • Automatic and manual scheduled jobs: The NIST NVD Integration for CVE runs automatically daily by default, while other integrations like CPE imports are inactive by default and require manual activation.
    • Multiple integrations available: Includes separate integrations for CVE data, CPE data, and unmapped CPE data, enabling comprehensive vulnerability information management.
    • Data enrichment: Imported NVD and CWE data enrich vulnerability records and vulnerable items in ServiceNow, creating clear relationships between third-party scanner identifiers (e.g., Qualys QID) and NVD CVE/CPE/CWE data.
    • Run-as user configuration: Each integration uses a configured run-as user (default VR.System) that should not be changed to ensure proper functionality.
    • Integration management: You can view and manage these integrations under Vulnerability Response or Application Vulnerability Response > Administration > Integrations.

    Practical Guidance for ServiceNow Customers

    • Before importing vulnerability data from third-party scanners, first install and run at minimum the NIST National Vulnerability Database Integration - API (CVE only) and the CWE Integration to properly enrich your vulnerability data.
    • Schedule the CWE import job to run before the NVD update job (default weekly on Monday) for optimal data consistency.
    • Verify successful initial imports of CVE, CPE, and CWE data before proceeding with third-party vulnerability data ingestion.
    • Activation of these plugins in production environments may require additional licensing; plan accordingly.
    • The older combined “NIST National Vulnerability Database Integration-API (CVE and CPE)” is deprecated; use the separate integrations instead.

    Expected Outcomes

    • Enhanced understanding of vulnerabilities through enriched data that links third-party scanner identifiers with official NVD CVE, CPE, and CWE data.
    • Improved vulnerability prioritization and remediation workflows in ServiceNow Vulnerability Response, supported by up-to-date NVD information.
    • Automated synchronization of vulnerability data with the NVD to maintain accurate and current security posture insights.

    The NVD integrations use data imported from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) product to help you determine the impact and priority of flaws in your code. Run this integration as part of your initial setup of Vulnerability Response and prior to importing vulnerability data into your instance with a third-party scanner product.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    The NIST NVD collects both Common Vulnerabilities and Exposures (CVE) and Common Platform Enumeration (CPE) data and makes that data available to the ServiceNow AI Platform®. It easily integrates with Vulnerability Response to map CVE and CPE vulnerabilities enriching the data in your instance.
    Important:
    There’s a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.
    After it’s installed, the NIST National Vulnerability Database Integration-API (CVE only) integration is invoked automatically as a scheduled job and runs daily. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.
    Tip:
    Activation of this plugin on production instances may require a separate license.

    Available versions

    Release version Release Notes

    Vulnerability Response Integration with NVD v1.2

    Initial import of vulnerability data with the NVD and CWE integrations

    1. Perform an initial import of CWE data with the CWE Comprehensive 2000 Integration.

      See Configure and run the scheduled job for updating CWE records. You perform CWE updates On Demand from the integration record by default, and, you must configure it.

      Note:
      Schedule the CWE update to run prior to the NVD database update. The default day for the NVD update is Weekly on Monday.
    2. Verify the Vulnerability Response Integration with NVD application is installed and an initial data import from either the NIST National Vulnerability Database Integration - API (CVE only) or the NIST National Vulnerability Database Integration - API (CVE and CPE) is successful.

      For CPEs, verify an initial data import from the NIST National Vulnerability Database Integration - API (CPE only) is successful.

      Activation of this plugin on production instances may require a separate license. After the plugin is installed, the NIST National Vulnerability Database Integration - API (CVE only) is activated by default. It runs daily. See Install the Vulnerability Response Integration with the NIST National Vulnerability Database for more information.

    3. Third-party libraries are updated as scheduled jobs. Refer to your integration documentation at Vulnerability Response integrations for more information about third-party integrations.

    Understanding imported vulnerability data and vulnerable items

    In your ServiceNow AI Platform instance, each imported vulnerability is represented by a vulnerability entry in the source libraries of third-party scanner products like Qualys, for example. The vulnerable items (VI)s that are imported and updated in your instance are references to third-party libraries, such as the Qualys library. A third-party library can, in turn, reference back to the NVD.

    For example, when you ingest third-party vulnerability data from a product like Qualys, you're ingesting VIs that reference a QID (Qualys Identifier). In the case of Qualys, that QID in turn references a CVE from the NVD library. When you click that QID in a remediation task or vulnerable item record in the Vulnerability Response application, and you've run the NVD and CWE integrations to ingest data, you are viewing current, enriched vulnerability data that lets you see the relationships that exist between your VIs and CVEs, CWEs, and CPEs.

    Before you run a third-party scanner product like Qualys that has its own library, you must first install and run, at a minimum, the NIST National Vulnerability Database Integration- API (CVE only) integration (also includes CISA-related details), CWE Integration to ingest vulnerability data. These NVD and CWE data imports enrich your Vulnerability Response or Application Vulnerability Response data prior to importing data with a third-party product.

    For more information about managing the NVD, CWE, and third-party libraries and viewing them, see Importing data with the NVD and CWE integrations and managing third-party libraries and View Vulnerability Response vulnerability libraries.

    After you verify the successful NVD import, to further enrich your vulnerability data, Configure and run the scheduled job for updating CWE records.

    Perform the NVD and CWE imports prior to importing vulnerability data with a third-party product. Third-party libraries are updated as scheduled jobs. Refer to your integration documentation at Vulnerability Response integrations for more information about third-party integrations.

    Locating the NVD integrations

    To view the NVD integrations, navigate to Vulnerability Response or Application Vulnerability Response > Administration > Integrations.

    The following integrations are included in the base system.
    Note:
    Only the NIST National Vulnerability Database Integration - API (CVE only) integration is active, by default.
    Table 1. NVD integrations
    Integration Description
    NIST National Vulnerability Database Integration - API (CVE only) Retrieves only NIST NVD vulnerability data (CVE). By default, this integration is automatically set to run daily.
    NIST National Vulnerability Database Integration-API (CPE only) Retrieves CPE data from NIST NVD. This integration is inactive by default.

    Activate this integration if you want to capture CPE data that includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. This information is stored in Vulnerable Software.

    This integration is set to run daily and is inactive by default. To activate this integration, see Activate the NIST National Vulnerability Database–API (CPE only).
    NIST National Vulnerability Database Integration-API (Unmapped CPE) Retrieves CPE data associated with fetched CVE from NIST NVD. This integration is inactive by default.

    Activate this integration if you want to capture CPE data that includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. This information is stored in an NVD vulnerability entry record related list. This integration is set to run On Demand and is inactive by default. To activate this integration, see Activate the NIST National Vulnerability Database–API (Unmapped CPE).
    Important:
    The “NIST National Vulnerability Database Integration-API (CVE and CPE)” integration is deprecated.

    For integration run statuses see, View the (National Vulnerability Database) NVD integration import run status.