- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2025 07:38 AM
Hi Community,
We are currently exploring on Application Vulnerability (AVR) in ServiceNow, and i have come across a scenario where need your help to understand it.
When a vulnerability scanner (Veracode) identifies a new application vulnerability in ServiceNow, but the corresponding application Configuration Item (CI) is not present in the CMDB, how is this situation handled?
For example: similar to host vulnerability (in VR) when there is no matching CI found, it will automatically create a unclassed CI. Does ServiceNow automatically create a new application CI for application vulnerability if yes, will it be a unclassified application CI.
Any insight or guidance on this would be greatly appreciated.
Thanks & Regards,
Zakeer
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2025 09:37 AM
Hey Zakeer,
So conceptually, the way AVR handles 'Unmatched' applications is exactly the same as host Vulnerability Response, but there is some nuances in there depending on which flavor of Lookup you are using for AVR. We have two flavors of lookups:
- CI-based lookup
- Product model-based lookup
If you are using the CI-based lookup, it gets handled similar to Host VR, where AVR will create what we call a 'Scanned Application' record. This would similar to Host VR's 'Unclassed Hardware' record.
If you are utilizing the Product Model lookup feature of AVR, it gets handled a bit differently.
I recommend you checkout this community post by @andy_ojha - https://www.servicenow.com/community/secops-articles/unpacking-common-questions-on-application-vulne...
It should help answer a ton of your questions.
I hope this helps!
William
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2025 09:37 AM
Hey Zakeer,
So conceptually, the way AVR handles 'Unmatched' applications is exactly the same as host Vulnerability Response, but there is some nuances in there depending on which flavor of Lookup you are using for AVR. We have two flavors of lookups:
- CI-based lookup
- Product model-based lookup
If you are using the CI-based lookup, it gets handled similar to Host VR, where AVR will create what we call a 'Scanned Application' record. This would similar to Host VR's 'Unclassed Hardware' record.
If you are utilizing the Product Model lookup feature of AVR, it gets handled a bit differently.
I recommend you checkout this community post by @andy_ojha - https://www.servicenow.com/community/secops-articles/unpacking-common-questions-on-application-vulne...
It should help answer a ton of your questions.
I hope this helps!
William