Configuring the Deps.dev, OSV.dev, and PaCE integrations for Software Bill of Materials

  • Release version: Australia
  • Updated April 3, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuring the Deps.dev, OSV.dev, and PaCE integrations for Software Bill of Materials

    This guide explains how ServiceNow customers can configure and manage the Deps.dev, OSV.dev, and Policy as Code Engine (PaCE) integrations within the Software Bill of Materials (SBOM) Response application. These integrations help identify and manage vulnerable, stale, or abandoned software components, improving software supply chain security and compliance.

    Show full answer Show less

    Deps.dev Integration Configuration

    • The Deps.dev Integration is installed and activated by default with SBOM Response and runs on a weekly schedule, which you can modify.
    • This integration identifies components in Stale (versions two major releases old and two years behind) or Abandoned (no updates for over two years) states.
    • You can customize the stale and abandoned thresholds (time in months and version number) via system properties.
    • The integration’s imported data is stored in the Package Groups [snsbompkggroup] table and visible in the SBOM Workspace home page and BOM Queue module.
    • Note: There is a separate Deps.dev on-demand code trigger integration used internally and must not be manually executed.

    OSV.dev Integration - Comprehensive Configuration

    • Installed and activated by default, this integration can be manually triggered on-demand from its record.
    • It imports vulnerability data stored in the Application Vulnerable Entries [snvulappvulentry] and National Vulnerability Database Entries [snvulnvdentry] tables.
    • You can configure the batchSize parameter (default 75 Purls per API call) to optimize performance, though modifying it may affect integration efficiency.
    • As with Deps.dev, there is an internal OSV.dev on-demand code trigger integration that should not be manually run.

    PaCE Integration Activation

    • Starting with SBOM Response version 4.0, PaCE enables policy-based compliance checks for components identified as stale or abandoned.
    • You can activate the Run PaCE policies for SBOM Response scheduled job, which is disabled by default, to automatically classify these components as ‘Non-compliant’ in the PaCE interface.
    • The PaCE interface is accessible within the SBOM Workspace, providing visibility into compliance status based on policies.
    • PaCE policies can be integrated with other applications for broader governance.

    Permissions and Roles

    Editing schedules and initiating these integrations requires the snvul.appconfigureintegrations role to ensure only authorized users modify integration settings.

    Important Usage Notes

    • Do not manually execute the on-demand code trigger versions of Deps.dev and OSV.dev integrations, as they are reserved for internal workflows.
    • Use the standard scheduled or on-demand integration records for configuration and execution.

    You can edit some of the parameters for the Deps.dev and OSV.dev integrations. There are also two code trigger versions of these integrations that are used strictly for internal workflows, and you should not initiate these integrations on-demand. Additionally, you can activate a scheduled job to create policies using Policy as Code Engine (PaCE).

    Code trigger integrations for internal workflows

    Starting with v3.2 of SBOM Response, performance enhancements included the addition of two OSV.dev and Deps.dev code-trigger integrations:
    • OSV Integration (on-demand code trigger)
    • Deps.dev Integration (on-demand code trigger)
    These integrations are initiated automatically by internal workflows and are for internal use only. Although you can locate them, you must not initiate these integrations on-demand with Execute Now button from their integration records.

    Configuring the run schedule for the Deps.dev Integration

    The Deps.dev Integration is installed with SBOM Response. The integration is activated (Active check box selected on the integration record) by default and scheduled to run weekly. Note that this is not the on-demand Deps.dev code trigger integration, and you can edit the schedule and initiate the scheduled job on-demand from its integration record. .

    To modify the schedule, navigate to All > Vulnerability Response > Administration > Integrations > Deps.dev Integration. The sn_vul.app_configure_integrations role is required to edit the schedule of this integration.

    This Deps.dev integration is used to identify components that are in Stale and Abandoned states. A stale component's version is more than two major versions behind the latest version and two years behind the latest version. An abandoned component has not been updated for more than two years. The two year and two version thresholds can be edited with system properties. To edit these parameters, navigate to All > System Properties > All Properties and locate the following records:
    • sn_sbom_resp.pkg_abandoned_threshold
    • sn_sbom_resp.pkg_stale_threshold
    • sn_sbom_resp.pkg_stale_version_threshold

    The threshold values for abandoned and stale are in months. The threshold value for version is numerical.

    You can view imported data on the Home page of the workspace and in the BOM Queue module. Imported data is stored in the Package Groups [sn_sbom_pkg_group] table.

    Configuring and initiating the OSV.dev Integration - Comprehensive

    The OSV.dev Integration - Comprehensive integration is installed with SBOM Response. The integration is activated (Active check box selected on the integration record) by default. Note that this is not the on-demand OSV.dev code trigger integration, and you must initiate this integration on-demand from its integration record.

    To configure and initiate this integration, navigate to All > Vulnerability Response > Administration > Integrations > OSV.dev Integration - Comprehensive. The sn_vul.app_configure_integrations role is required.

    You can view imported data on the Home page of the workspace on the Vulnerability tab on records from the entities list and in the Libraries module. Imported data is stored in the Application Vulnerable Entries [sn_vul_app_vul_entry] and the National Vulnerability Database Entries [sn_vul_nvd_entry] tables.

    Note:
    You can configure the OSV.dev's batchSize integration parameter on the Integration Parameters tab on the Open Source Vulnerabilities Instance located at All > Vulnerability Response > Administration > Integrations > Vulnerability Integrations > Open Source Vulnerabilities Instance. The default is 75 Purls per API call.

    You might prefer to leave this value in its default setting. Altering the value might impact performance.

    Activating PaCE

    Starting with version 4.0 of SBOM Response, you can view components that are identified as stale or abandoned as ‘Non-compliant’ in the Policy as Code Engine (PaCE) interface that is available in the SBOM Workspace.

    • Determine if components are stale or abandoned with the Run PaCE policies for SBOM Response scheduled job. This scheduled job is deactivated by default.
    • View components that are identified as stale or abandoned as Non-compliant in the PaCE interface that is available and viewed in the SBOM Workspace.

    See Integrating PaCE with other applications for more information about PaCE and PaCE policies.