Remediation tasks and vulnerable item states

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Remediation tasks and vulnerable item states

    In ServiceNow's Yokohama release, remediation tasks and vulnerable items (VIs) have interdependent states that influence each other to streamline vulnerability management. Typically, the state of a remediation task determines the state of the vulnerable items associated with it, using a defined precedence order. This mechanism helps maintain consistency in tracking and resolving vulnerabilities.

    Show full answer Show less

    Key Features

    • State Precedence: The states follow a hierarchy from highest to lowest precedence: Closed > Deferred > Resolved > In Review > Awaiting Implementation > Under Investigation > Open. The highest precedence task state updates the vulnerable items in that group.
    • State Synchronization: Vulnerable items inherit the remediation task state unless individually updated. For example, if a remediation task moves from Open to Awaiting Implementation, all associated VIs also update to Awaiting Implementation.
    • Deferral Tracking: Starting from version 16.5, the system tracks how many times VIs and remediation tasks are deferred. A scheduled job updates deferral counts daily, helping customers monitor repeated deferrals via the Multiple Deferrals modules for VR, AVR, and CVR.
    • Exceptions for State Updates:
      • If a remediation task is Closed with resolution Canceled or Fixed with Exception, the VI's state remains unchanged or adopts the state from other associated remediation tasks. If no other task exists, the VI reverts to Open.
      • VIs marked Closed/Fixed by scans or imports remain in that state regardless of remediation task state changes.
    • Individually Updated Vulnerable Items: VIs manually set to a specific state do not automatically mirror remediation task states. Instead, the system compares all associated groups and applies the highest precedence state.
    • Automatic Closure: When all VIs in a remediation task are marked Closed/Fixed (e.g., verified by scans), the remediation task automatically updates to Closed/Fixed.
    • Assignment Field Behavior:
      • If VIs revert from Resolved to Open, remediation task state changes from Resolved to Under Investigation. However, if both Assigned to and Assignment group fields are empty in the remediation task, it remains Resolved.
      • If the assignment group for an Open state VI is manually updated, it is not overwritten when the remediation task’s assignment group changes, preserving intentional customized assignments.

    What This Enables ServiceNow Customers to Do

    Understanding the interaction between remediation tasks and vulnerable item states allows customers to more effectively manage vulnerabilities by automating state transitions and ensuring accurate tracking. Deferral counts provide insight into repeated delays, enabling better prioritization. The special handling of assignment fields and state exceptions supports flexible workflows without losing data integrity. Ultimately, customers can expect consistent vulnerability lifecycle management aligned with remediation progress and scanning results.

    Remediation tasks and vulnerable items states can affect each other. Most of the time, a remediation task state updates the vulnerable item state, with the highest precedence task state used to update the vulnerable items in the group.

    The state precedence is as follows.

    Closed > Deferred > Resolved > In Review > Awaiting Implementation > Under Investigation > Open

    • When a group of vulnerable items are in one remediation task and aren't altered at an individual level, they have the same state as their remediation task.
    • When the remediation task goes from the Open state to Awaiting Implementation, all the VIs in the remediation task move to the Awaiting Implementation state.
    • When the remediation task is deferred, the VI is likewise deferred. Starting with version 16.5, you can track the number of times that a vulnerable item, application vulnerable item, container vulnerable item, or a remediation task is deferred. The scheduled job, set deferral counts, runs daily to post counts for the records that are deferred more than once in the Deferral count column in the Multiple deferrals modules for VR, AVR, and CVR. All counts for VIs that are associated with a remediation task are collected and posted if a remediation task is deferred more than one time.
    Vulnerable items updated only by remediation tasks
    Items match the state of the remediation task, if they haven't been updated individually, with these exceptions:
    • If the remediation task state changes to Closed, and its resolution to Canceled or Fixed with Exception, the item is not affected and takes on the state of any other remediation task that contains it. If the vulnerable item is in no other remediation task, it reverts to the Open state.
    • If the vulnerable item state is Closed/Fixed (updated by a scan or import), then when the remediation task changes its state, the vulnerable item remains in the Closed/Fixed state. This condition is true no matter what state the remediation task is in.
    Vulnerable items in states set individually
    Vulnerable items, in a state updated on the item, such as those items closed or deferred individually, don't match the state of the remediation task automatically. Instead, it compares its state to all associated groups to find the state with the highest precedence to apply.
    Note:
    The Closed/Fixed state is a special case. For the vulnerable items that are set to the Closed/Fixed state, if all vulnerable items within a remediation task are set to Closed/Fixed — such as when a scanner finds that all the vulnerabilities have been remediated — the remediation task is automatically marked as Closed/Fixed.
    Remediation tasks contain empty assignment fields
    If the state of the VIs in a remediation task changes from Resolved to Open, the state of the remediation task is also updated from Resolved to Under Investigation.

    However, if both the Assigned to and Assignment group fields in the remediation task are empty, the remediation task remains in the Resolved state and does not move to Under Investigation.

    Assignment group for vulnerable items is not always updated when their remediation task is updated
    If the assignment group for a VI in Open state is updated manually, it is not updated again when the assignment group for its remediation task is updated. This information is not overwritten because the assignment group for the VI has been updated intentionally, and might be a part of another remediation task.