How does Application Vulnerabilities Response handle unmatched Application CIs

Go to solution
MdZakeerH
Tera Contributor

‎07-10-2025 07:38 AM

Hi Community,

 

We are currently exploring on Application Vulnerability (AVR) in ServiceNow, and i have come across a scenario where need your help to understand it.

 

When a vulnerability scanner (Veracode) identifies a new application vulnerability in ServiceNow, but the corresponding application Configuration Item (CI) is not present in the CMDB, how is this situation handled?

 

For example: similar to host vulnerability (in VR) when there is no matching CI found, it will automatically create a unclassed CI. Does ServiceNow automatically create a new application CI for application vulnerability if yes, will it be a unclassified application CI.

 

Any insight or guidance on this would be greatly appreciated.

Thanks & Regards,

Zakeer

 

0 Helpfuls
  • 354 Views
1 ACCEPTED SOLUTION

Go to solution
william_tran
ServiceNow Employee
ServiceNow Employee

‎07-11-2025 09:37 AM

Hey Zakeer,

So conceptually, the way AVR handles 'Unmatched' applications is exactly the same as host Vulnerability Response, but there is some nuances in there depending on which flavor of Lookup you are using for AVR. We have two flavors of lookups:

  • CI-based lookup
  • Product model-based lookup

 

If you are using the CI-based lookup, it gets handled similar to Host VR, where AVR will create what we call a 'Scanned Application' record. This would similar to Host VR's 'Unclassed Hardware' record.

 

If you are utilizing the Product Model lookup feature of AVR, it gets handled a bit differently.

 

I recommend you checkout this community post by @andy_ojhahttps://www.servicenow.com/community/secops-articles/unpacking-common-questions-on-application-vulne...

 

It should help answer a ton of your questions.

 

I hope this helps!

 

William

View solution in original post

1 REPLY 1

Go to solution
william_tran
ServiceNow Employee
ServiceNow Employee

‎07-11-2025 09:37 AM

Hey Zakeer,

So conceptually, the way AVR handles 'Unmatched' applications is exactly the same as host Vulnerability Response, but there is some nuances in there depending on which flavor of Lookup you are using for AVR. We have two flavors of lookups:

  • CI-based lookup
  • Product model-based lookup

 

If you are using the CI-based lookup, it gets handled similar to Host VR, where AVR will create what we call a 'Scanned Application' record. This would similar to Host VR's 'Unclassed Hardware' record.

 

If you are utilizing the Product Model lookup feature of AVR, it gets handled a bit differently.

 

I recommend you checkout this community post by @andy_ojhahttps://www.servicenow.com/community/secops-articles/unpacking-common-questions-on-application-vulne...

 

It should help answer a ton of your questions.

 

I hope this helps!

 

William