I've just started working with the Vulnerability Response Module and still learning the layout and the fields into forms/records like Vulnerable Items and Remediation task.

I noticed there are 2 fields available (hidden by default), The Vulnerable Software (sn_vul_software.sw_vulnerability) and the Installation (cmdb_sam_sw_install.installation) fields (see below screenshot). 

I've been figuring out how this Vulnerable Software field gets populated. I know that this does not relate to the scan import from Vulnerability Scanners (i.e. Qualys), but I would assume by the time the vulnerable item is created, the Vulnerable Software will somehow gets populated, based on the fact the scan entry (i.e. QID in this case) should relates to a CVE(s) that contains the Vulnerable Software. From my observation, this doesn't seem to be the case. 

Just in attempts to populate this Vulnerable Software field, I have attempt to create an Exposure Assessment (using Java 😎 based on this documentation (https://docs.servicenow.com/bundle/sandiego-security-management/page/product/vulnerability-response/task/vr_sw_expsure_task.html). Once it detects the number of installation, I have chosen the Create Vulnerable Items, and pick one of the CVE entries. 

When the Vulnerable Items are created, instead of the Vulnerable Software field, it is another field the Installation gets populated. 

I know this installation field are based on the Software Installation table that the Exposure Assessment uses, However, if we have confirmed this installation is a Vulnerable Software, what are the steps required for the SesrviceNow Vulnerability Module to reflect the same (i.e. by populating this Vulnerable Software field)?