Vulnerable items represent one configuration item (CI) with a given vulnerability. Vulnerable items are imported from third-party sources, or using the SAM NVD information (link) to compare vulnerability entries to software records retrieved from the Software Asset Management module.

Vulnerable items are contained in remediation tasks defined by vulnerability rules. Typically remediation tasks are the location where groups of vulnerable items are assigned and worked on.

Vulnerable items can be viewed and edited in bulk from the Vulnerable Items module. Vulnerable item records display information from the vulnerability in the Vulnerability tab. This tab can indicate whether there are public or active exploits for it. Also, it shows whether it can be remediated via a patch, configuration change, or combination of both. If there are IP addresses that are found during de-duplication, they appear in a related list.

If a CI is removed from the CMDB, any associated vulnerable items are removed as well.

When a vulnerable item is added to a remediation task, the group appears in the Remediation Tasks list of Vulnerable items.

When a task is created that affects a vulnerable item, the task appears in the Affecting Tasks related list of Vulnerable items.

Vulnerable items can be created manually. You can create security incidents or change requests and manually closed or defer them. Remediation task rules can be applied to manually created vulnerable items.

Remediation tasks and remediation task rules have been enhanced to take over task functionality. Vulnerable items cannot be linked as a parent task.