Application Vulnerable Item (AVI) states

  • Release version: Xanadu
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Application Vulnerable Item (AVI)

    Application Vulnerability Response provides a state model for managing Application Vulnerable Items (AVIs). Understanding these states is crucial for effective remediation of vulnerabilities, as they dictate the flow from the creation of an AVI to its resolution or closure.

    Show full answer Show less

    Key Features

    • State Management: AVIs have several states such as Open, Resolved, Closed, and Under Investigation, which are mapped from third-party integrations.
    • State Actions: Each state allows specific actions, like marking an item as a false positive, requesting exceptions, or transitioning to other states.
    • Transitioning: You can manually transition AVIs to states like Awaiting Implementation or reopen closed items based on your workflow needs.
    • Resolution Notes: When resolving an AVI, users must provide resolution notes for clarity and record-keeping.

    Key Outcomes

    By effectively using the AVI state model, customers can:

    • Track and manage vulnerabilities systematically from identification to resolution.
    • Ensure compliance and effective risk management by understanding the remediation process.
    • Utilize integrated information from sources like Fortify for enhanced decision-making regarding vulnerabilities.

    Overall, mastering the AVI state model enables ServiceNow customers to streamline their vulnerability management processes and improve their overall security posture.

    Application Vulnerability Response offers a state model for the status of your application vulnerable items (AVIs), at any given time. Knowing how each state relates to and affects each other helps you to determine when and how to remediate your AVIs.

    Application Vulnerable Item states

    Understanding how states work helps with creating or editing application vulnerable item (AVI) rules. AVIs have several possible states that are mapped from imported Remediation status from the third-party integration. In an AVI, the State field is read-only.

    Table 1. Application Vulnerability Response state flow diagram
    State Description
    Open State upon creation. From this state you can:
    V16: Get More Details
    Get the following information about an AVI imported from Fortify:
    • Vulnerability summary
    • Vulnerability explanation
    • Recommendation
    • References
    • Request
    • Response
    V16: Mark as false positive
    Mark an item as false positive if the scanner reports that a vulnerability exists in the system, but in reality there is no vulnerability.
    V16: Request exception
    Request an exception, a reopen (Until) date, a reason, and optionally, provide addition information. Defers the remediation of the item until the date till which an exception is requested.
    V15: Close
    Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI.
    V15: Resolve
    Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
    Deferred V15: This is triggered by the Request Exception option. As part of the approval workflow, the Deferred state is In Review and cannot be closed until approved.

    From this state you can:

    V16: Get More Details
    Get the following information about an AVI imported from Fortify:
    • Vulnerability summary
    • Vulnerability explanation
    • Recommendation
    • References
    • Request
    • Response
    Reopen
    Transitions a closed or resolved AVI back to an Open state.
    Close
    Select the Closed state, a reason, and provide addition information. Closes the AVI.
    Under Investigation Select this option from the State list. From this state you can:
    V20.0
    Manually transition a remediation task or AVI record to Awaiting Implementation.
    V16: Get More Details
    Get the following information about an AVI imported from Fortify:
    • Vulnerability summary
    • Vulnerability explanation
    • Recommendation
    • References
    • Request
    • Response
    V16: Mark as false positive
    Mark an item as false positive if the scanner reports that a vulnerability exists in the system, but in reality there is no vulnerability.
    V16: Request exception
    Request an exception, a reopen (Until) date, a reason, and optionally, provide addition information. Defers the remediation of the item until the date till which an exception is requested.
    V15: Close
    Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI.
    V15: Resolve
    Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
    Awaiting Implementation

    You can only transition records to this state manually by selecting Awaiting Implementation from AVI and remediation task records in the Under Investigation state. From this state you can:

    Open
    Transitions AVI back to an Open state.
    Under Investigation
    Get more information for resolution. Transitions to Under Investigation.
    Resolve
    Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
    Close
    Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI.

    In this state, Transition a record into Awaiting Implementation when your research and work on a task is complete and although a fix is ready for implementation, it is not yet available.

    Set the Remediation Commitment date and Remediation plan fields.

    After implementation, you resolve or close the records.
    Resolved Triggered from the Resolve button. From this state you can:
    V16: Get More Details
    Get the following information about an AVI imported from Fortify:
    • Vulnerability summary
    • Vulnerability explanation
    • Recommendation
    • References
    • Request
    • Response
    Reopen
    Transitions back to an Open state.
    Close
    Select the Closed state, a reason, and provide addition information. Closes the group.

    Notes and Resolution information appear under the Notes tab.
    Closed Triggered from the Close button. From this state you can:

    Reopen: Transitions back to an Open state.
    Note:
    Refer to the Integrating Application Vulnerability Response with other applications for understanding different integrations that sourced the AVI.

    Application Remediation Task states

    From the creation to closure of an Application Remediation Task, the Application Remediation Task transitions through various states during the entire remediation process.

    The state precedence is as follows:

    Closed > Deferred > Resolved > In Review > Awaiting Implementation > Under Investigation > Open

    The state transition happens as you perform various actions such as Defer, Open, Close, etc.

    The actions you can perform on an Application Remediation Task at a specific state is similar to that of a Host Remediation Task. Hence, for more information, see the Vulnerability Response remediation task states and State roll-up and roll-down scenarios in the Vulnerability Response documentation.

    Note:
    Starting with v23.0 of Vulnerability Response, the Close button has been removed to ensure that the closure of the Remediation task is driven by the scanner.