Application Vulnerability Response release notes

  • Release version: Washingtondc
  • Updated September 19, 2024
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Application Vulnerability Response Release Notes

    The ServiceNow® Application Vulnerability Response application integrates security and IT, allowing users to address critical vulnerabilities swiftly and efficiently. The Washington DC release, version 22.0, enhances the application with several new features and improvements, including integrations with GitHub and support for Software Bill of Materials (SBOM) standards.

    Show full answer Show less

    Key Features

    • GitHub Repos Integration: Import application data from GitHub repositories.
    • SBOM Support: Support for CycloneDX and SPDX standards in SBOM files.
    • Vulnerability Manager Workspace: Visual summaries of active vulnerabilities and bulk editing capabilities for application vulnerable items (AVITs).
    • Automated Reopening of AVITs: Closed AVITs can reopen automatically if vulnerabilities are detected again.
    • Invicti Integration: Import IAST and DAST data to assess application flaws.
    • Enhanced Notifications: Role-based email notifications link directly to relevant records in the workspace.
    • Auto-Close Rules: Automate closure of stale AVITs based on defined conditions.

    Key Outcomes

    With these enhancements, users can expect improved visibility and management of application vulnerabilities, streamlined remediation processes, and effective integration of security testing data. The new features facilitate a comprehensive approach to vulnerability management, ultimately helping organizations reduce risk and enhance security posture.

    The ServiceNow® Application Vulnerability Response application brings security and IT together to enable you to remediate your most critical vulnerabilities more quickly and efficiently. Application Vulnerability Response is included as part of the Vulnerability Response application. Version v22.0 of Application Vulnerability Response was enhanced and updated in the Washington DC release.

    Application Vulnerability Response highlights for the Washington DC release

    • Import application information from your GitHub repositories with the GitHub Repos Integration.
    • The Software Bill of Materials applications support SBOM files in CycloneDX and SPDX standards.
    • Get the overall summary of active application vulnerabilities with visualizations of all or prefiltered active application vulnerabilities in the Application vulnerabilities tab on the new Vulnerability Manager Workspace landing page.
    • Import Interactive Application Security Testing (IAST) and Dynamic Application Security Testing (DAST) data with the Invicti Vulnerability Integration.

    See Application Vulnerability Response for more information. for more information.

    Important:
    Application Vulnerability Response is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

    New in the Washington DC release

    Closed application vulnerable items in the SBOM Workspace reopen automatically
    A Closed application vulnerable item (AVIT) for a component with an associated vulnerability is reopened automatically and visible in the SBOM Workspace if the following conditions are met:
    • The Reopen AVITs if detected (sn_sbom_resp.reopen_avits_if_detected) system property is activated. This system property is activated by default.
    • The AVIT with the associated vulnerability is detected again by a third-party integration's vulnerability scans or the component with the vulnerability is part of a subsequent SBOM upload.
    • The substate of the Closed AVIT is not one of the following: Mitigation Control in Place, Not Affected, or False Positive. AVITs with these substates are not reopened by the system property.

    Deactivate the system property only if you do not want Closed AVITs to reopen automatically.

    Updating application vulnerable items in bulk in the Vulnerability Manager Workspace
    Perform the following tasks on one or more application vulnerable items (AVITs) simultaneously using the bulk edit feature in the Vulnerability Manager Workspace:
    View list of vulnerable items in the Vulnerability Manager Workspace
    View the list of active vulnerable items in the Vulnerability Manager Workspace using the active records count next to the View by drop-down in the Host vulnerabilities tab on the Home page.
    Open active AVITs list in classic UI from the Vulnerability Manager Workspace
    Navigate to the Classic UI's active AVITs list using the View Classic link in the Application Vulnerabilities tab on the home page of the Vulnerability Manager Workspace.
    Refresh a remediation task in the Vulnerability Manager and IT Remediation Workspaces
    Refresh a remediation task (AVUL#) in the Vulnerability Manager and IT Remediation Workspaces to inspected if there are any additional records that belong to a remediation task.
    Enhancements to the Software Bill of Materials applications
    Upload SBOM files for the CycloneDX and SPDX standards starting with version 3.0 of SBOM Core and 3.2 of SBOM Response.
    • XML and JSON formats are supported for CycloneDX up to and including version 1.4.
    • JSON format is supported for SPDX up to and including version 2.3.

    Performance enhancements in the SBOM Workspace for the BOM Entities and Components pages. You might experience faster load times for the Home and Components modules in the SBOM Workspace.

    GitHub Application Vulnerability Integration version 1.1
    Import application information from your GitHub repositories with the GitHub Repos Integration. Imported data is stored in the Discovered Applications [sn_vul_app_release] table. The GitHub CodeScan and Dependabot integrations require current application data that is imported by the GitHub Repos Integration.

    Enhancements to the (OAuth) authentication credentials on the GitHub Configuration page.

    Enhancements to the Veracode Vulnerability Integration version 4.2
    Select Get More Details on Veracode application vulnerable items (AVITs) on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table or from the list views in the Vulnerability Response Workspaces to view the following data imported from Veracode:
    • HTTP Source request and Source response details for Dynamic Application Security Testing (DAST) scans are displayed on the HTTP Request/Response related list.
    • Solution recommendations from Veracode are displayed on the Findings related list.
    • HTTP Source request, Source response, and recommendations are displayed on the Details tab In the Vulnerability Response workspaces.
    • The Description column is supported on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table.
    Enhancements to Application Vulnerability Response AVIT Vulnerability Integrations
    View details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Fortify version 2.3, Invicti version 1.1, and Veracode version 4.2 Application Vulnerable Item (AVIT) Integrations.
    Create auto-close rules for stale AVITs
    Automate the closure of stale AVITs via Auto-close rules based on your required filter conditions.
    Analyzing the vulnerability landscape in the Vulnerability Manager Workspace
    Get the overall summary of the active application vulnerabilities through visual representation of risk ratings, remediation progress, assignment groups workloads, and records in remediation tasks on the Home page of the Vulnerability Manager Workspace.
    Acquiring the summary of a set of application vulnerabilities using filters
    Get the summary of a set of active application vulnerabilities by filtering those vulnerabilities on the Home page of the Vulnerability Manager Workspace.
    Define Vulnerability Response email notifications
    When links are clicked in an email notification, records open in Vulnerability Manager Workspace or IT Remediation Workspace based on the user's role.
    Invicti Vulnerability Integration
    Import Interactive Application Security Testing (IAST) and Dynamic Application Security Testing (DAST) data with the Invicti Vulnerability Integration. This data enables you to determine the impact and priority of flaws in your custom software applications. Use the following Invicti integrations to enrich your vulnerability data:
    • Invicti Application List Application - Import applications that are scanned by Invicti.
    • Invicti Scan List Integration - Import data about the date and time a scan was run.
    • Invicti Application Vulnerable Item Integration - Import Invicti vulnerable item data.
    Import Software Bill of Materials (SBOM) files with Veracode
    Upload SBOM files in CycloneDx JSON format with a dedicated Veracode API. Identify the components you are using in your software projects and information about their releases, versions, and associated vulnerabilities. The integration generates SBOMs in CycloneDx JSON format and uploads them into your instance for parsing. The Software Bill of Materials applications are required. For more information, see Exploring Software Bill of Materials.
    Software Bill of Materials
    The following enhancements were made to supported applications for the Software Bill of Materials (SBOM) product:
    • Added PURL validation for the OSV.dev integration. Invalid PURLs are ignored during file processing.
    • If available, OSV.dev fixed version information is displayed on a related list on the AVIT record.
    • SBOM application vulnerable items (AVITs) show component information in enhanced SBOM workspace views.
    • Disabled Remediation Task rules for SBOM AVITs in the SBOM Workspace. You can edit rules for SBOM AVITs in the Vulnerability Manager Workspace in Vulnerability Response.
    • Expanded SBOM Workspace access enables you to view the SBOM inventory with the SBOM Core application.
    Reapplying CI Lookup rules in Application Vulnerability Response
    Reapply your configuration item (CI) lookup rules to update existing CIs for scanned applications and product models.
    Create remediation tasks manually
    Create remediation tasks (AVULs) manually for application vulnerable items (AVITs) from remediation task records on the Group Configuration tab.
    Notifications on false positive and exception requests
    Receive notifications and reminders on false positive and exception requests change approval records by setting approval expiry and reminder dates on the approval rules.
    Quick start tests for Application Vulnerability Response

    After upgrades and deployments of new applications or integrations, run quick start tests to verify that Application Vulnerability Response works as expected. If you customized Application Vulnerability Response, copy the quick start tests and configure them for your customizations.

    Activation information

    Install Application Vulnerability Response by requesting Vulnerability Response from the ServiceNow Store. Application Vulnerability Response is included as part of the Vulnerability Response application. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.