This is in the context of application pen testing. Manual findings are submitted from the internal pen testing team. The class of vulnerabilities that they discover doesn't exist so they can't create a VIT if there isn't a corresponding class in the system. For example, they are doing an application pen test and find a SQL injection vulnerability, so that would be an instance of SQL injection, but if there is no SQL injection class, they have no frame of reference to create a vulnerable item. How do we manipulate the vulnerabilities database so they can add and modify at will?

So I've been doing more research and I found this: https://docs.servicenow.com/bundle/vancouver-security-management/page/product/vulnerability-app-vuln...

I think that is the solution, do you agree? 

thank you,
Nancy

That's the correct part of docs to look at. You may want to go back up to the start of the pen testing AVR section to get a full overview: 

https://docs.servicenow.com/bundle/vancouver-security-management/page/product/vulnerability-app-vuln...

If I understand correctly, everything required to do what you want to do is available out-of-the-box, but you need the pen-testing team to provide a CWE related to each vulnerable item - i.e. the CWE is the 'class of vulnerability'.

For example, in the screenshot below, the entry in the Application Vulnerability Entry table references CWE-564 (SQL Injection: Hibernate).

Does that help at all?