Context:
In the Application Vulnerability Response plugin, we are working with a vendor that doesn't have an integration, so we've built import sets to import the data. 

Issue:

We aren't able to run the Assignment rules on Closed or Active = false vulnerabilities, or on Vulnerabilities that have a specific Assignment Group already assigned. 

Why is this important:

When importing already closed vulnerabilities, we need to be able to show what group fixed them (this is based on the assigned vulnerability remediation group, it's an attribute on the CI). 

My thoughts on this:

It baffles me that SNVR allows for manual import but doesn't allow us to choose to run rules on "closed" vulns. I love the idea of a single pain of glass that SNVR allows for, but having a bunch of unassigned vulns that were "fixed" doesn't allow us to showcase the remediation teams accomplished work. It make reporting much harder then it should be, meaning in order to get around this I'll have to report on the CI's rather then the Vits and that doesn't work considering the limitation of avits, cvits and vits only being created on CI's that ServiceNow see's as "active" when in truth they should be created regardless and depend on the scanner to say when they are remediated or they haven't been seen in so many days (controlled by the Autoclose rules).

Can anyone help me figure out how to get around this limitation?