Application Vulnerable Item (AVI) states

Release version: Washingtondc

Updated February 1, 2024

3 minutes to read

Summarize

Summarized using AI

Summary of Application Vulnerable Item (AVI)

The Application Vulnerability Response provides a state model for managing Application Vulnerable Items (AVIs). Understanding these states is crucial for effective remediation of vulnerabilities detected in applications. Each AVI's State field is read-only and reflects the status derived from third-party integrations, such as Fortify.

Show full answer Show less

Key Features

State Transitions: AVIs can transition through various states: Open, Deferred, Under Investigation, Awaiting Implementation, Resolved, and Closed.
Detailed Insights: Users can retrieve detailed information about vulnerabilities, including summaries, explanations, recommendations, and references.
Actions Available: Depending on the AVI state, users can mark items as false positives, request exceptions, resolve issues, and close AVIs.

Key Outcomes

By understanding and utilizing the state model, ServiceNow customers can effectively track and manage vulnerabilities in their applications, ensuring timely remediation and compliance with security protocols. This structured approach helps in prioritizing tasks and maintaining overall application security health.

Application Vulnerability Response offers a state model for the status of your application vulnerable items (AVIs), at any given time. Knowing how each state relates to and affects each other helps you to determine when and how to remediate your AVIs.

Application Vulnerable Item states

Understanding how states work helps with creating or editing application vulnerable item (AVI) rules. AVIs have several possible states that are mapped from imported Remediation status from the third-party integration. In an AVI, the State field is read-only.

Table 1. Application Vulnerability Response state flow diagram
State	Description
Open	State upon creation. From this state you can: V16: Get More Details Get the following information about an AVI imported from Fortify: Vulnerability summary Vulnerability explanation Recommendation References Request Response V16: Mark as false positive Mark an item as false positive if the scanner reports that a vulnerability exists in the system, but in reality there is no vulnerability. V16: Request exception Request an exception, a reopen (Until) date, a reason, and optionally, provide addition information. Defers the remediation of the item until the date till which an exception is requested. V15: Close Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI. V15: Resolve Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
Deferred	V15: This is triggered by the Request Exception option. As part of the approval workflow, the Deferred state is In Review and cannot be closed until approved. From this state you can: V16: Get More Details Get the following information about an AVI imported from Fortify: Vulnerability summary Vulnerability explanation Recommendation References Request Response Reopen Transitions a closed or resolved AVI back to an Open state. Close Select the Closed state, a reason, and provide addition information. Closes the AVI.
Under Investigation	Select this option from the State list. From this state you can: V20.0 Manually transition a remediation task or AVI record to Awaiting Implementation. V16: Get More Details Get the following information about an AVI imported from Fortify: Vulnerability summary Vulnerability explanation Recommendation References Request Response V16: Mark as false positive Mark an item as false positive if the scanner reports that a vulnerability exists in the system, but in reality there is no vulnerability. V16: Request exception Request an exception, a reopen (Until) date, a reason, and optionally, provide addition information. Defers the remediation of the item until the date till which an exception is requested. V15: Close Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI. V15: Resolve Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
Awaiting Implementation	You can only transition records to this state manually by selecting Awaiting Implementation from AVI and remediation task records in the Under Investigation state. From this state you can: Open Transitions AVI back to an Open state. Under Investigation Get more information for resolution. Transitions to Under Investigation. Resolve Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box. Close Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI. In this state, Transition a record into Awaiting Implementation when your research and work on a task is complete and although a fix is ready for implementation, it is not yet available. Set the Remediation Commitment date and Remediation plan fields. After implementation, you resolve or close the records.
Resolved	Triggered from the Resolve button. From this state you can: V16: Get More Details Get the following information about an AVI imported from Fortify: Vulnerability summary Vulnerability explanation Recommendation References Request Response Reopen Transitions back to an Open state. Close Select the Closed state, a reason, and provide addition information. Closes the group. Notes and Resolution information appear under the Notes tab.
Closed	Triggered from the Close button. From this state you can: Reopen: Transitions back to an Open state.

Note:

Refer to the Integrating Application Vulnerability Response with other applications for understanding different integrations that sourced the AVI.