These applications enable you to upload and import SBOM files into your instance. You can view BOM entity and component data in the SBOM Workspace if you have SBOM Core installed.

You can view BOM entity, component data, and data visualizations in the SBOM Workspace if you have SBOM Response installed.

• Data Model for SBOM
• SBOM Core

• Vulnerability Response and its dependencies
• Vulnerability Response Integration with NVD
• SBOM Response

For more information about these and other supported SBOM applications, see Exploring Software Bill of Materials.

A message is displayed after an application is successfully activated. Activate the applications in the following order:

• Vulnerability Response and its dependencies
• Vulnerability Response Integration with NVD
• Data Model for SBOM
• SBOM Core
• SBOM Response, which includes the OSV.dev and Deps.dev integrations and supports the Policy as Code Engine (PaCE) interface in the SBOM Workspace.

See Configuring the Deps.dev, OSV.dev, and PaCE integrations for Software Bill of Materials for more information about configuring these integration applications after you have installed SBOM Response.

For more information about these integrations and the capabilities they provide, see Exploring Software Bill of Materials.

• Vulnerability Response Integration with Veracode. See Install the ServiceNow Vulnerability Response Integration with Veracode for more information.
• Vulnerability Response Integration with NVD, which is required if you want to view the enhanced data for vulnerabilities associated with uploaded components. See Understanding the NVD integrations for more information.
• CWE Comprehensive 2000 Integration. See Configure and run the scheduled job for updating CWE records for more information about activating this scheduled job.

A message is displayed after an application is successfully activated.

• sn_sbom_dm.app_create
• sn_sbom_dm.app_read
• sn_sbom_dm.app_write
• sn_sbom_core.sbom_ingest
• sn_sbom_core.admin
• sn_sbom_resp.sbom_analyst
• sn_sbom_resp.manage_avi_rule
• sn_sbom_response.managelicense
• sn_sbom_response.licenseresolver

Users assigned to the App-Sec Manager group prioritize and manage application vulnerable items. Users in this group inherit many of the roles required for reading and editing records and configuring the applications supported by the Application Vulnerability Response application and its remediation workflows.

A Closed application vulnerable item (AVIT) for a component with an associated vulnerability is re-opened (set to Open) automatically and visible in the SBOM Workspace if the following conditions exist:

• The AVIT with the associated vulnerability is detected again by a third-party integration's vulnerability scans or the component with the vulnerability is part of a subsequent SBOM upload.
• You have not deactivated the Reopen AVITs if detected (sn_sbom_resp.reopen_avits_if_detected) system property. This system property is activated by default.
• The substate of the Closed AVIT is not one of the following: Mitigation Control in Place, Not Affected, or False Positive. AVITs with these substates are not reopened by the system property.