Remediation task state for Vulnerable Items (VITs) in multiple groups

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Remediation task state for Vulnerable Items (VITs) in multiple groups

    This content explains how the state of a Vulnerable Item (VI) is determined when it is associated with multiple remediation tasks (RTs) in ServiceNow Vulnerability Response. It clarifies the precedence rules applied to the states of remediation tasks and how those rules impact the overall state of the VI.

    Show full answer Show less

    Key Rules for Determining Vulnerable Item State

    • State precedence: When a VI belongs to multiple remediation tasks, the VI’s state is set to the state of the remediation task that has the highest precedence.
    • State comparison examples:
      • If one RT is "Under Investigation" and the other is "Open," the VI state becomes "Under Investigation."
      • If both RTs are "Under Investigation," the VI remains "Under Investigation."
      • If one RT is "Awaiting Implementation" and the other is "Under Investigation," the VI takes the "Awaiting Implementation" state.
      • If one RT is "Deferred" and the other is "Awaiting Implementation," the VI becomes "Deferred."
    • Special cases:
      • If an RT is "Closed (Fixed or Cancelled)" and another RT is "Under Investigation," the VI state will be "Under Investigation," reflecting the higher precedence state.
      • If the VI source status is "Fixed" (updated by a scan or import), the VI state is automatically set to "Closed/Fixed" regardless of RT states, and group state precedence is not evaluated.
    • Individually set Vulnerable Item states: When a VI state is set manually, that state is included in the precedence evaluation along with RT states.

    Handling Deferred States

    When multiple RTs have the VI in a "Deferred" state with different dates, the VI’s deferred state will extend to the latest deferred date among the RTs. For example, if RT 1 defers until April 10 and RT 2 defers until April 30, the VI will defer until April 30.

    Practical Implications for ServiceNow Customers

    • Understanding these state precedence rules helps you accurately track the overall remediation progress of vulnerabilities linked to multiple tasks.
    • Manual overrides of VI states are respected but still participate in determining the final VI state among remediation tasks.
    • Automated updates from vulnerability scans that mark VIs as "Fixed" take priority and close the VI regardless of remediation task states.
    • The deferred state logic ensures that a VI remains deferred until all associated remediation tasks have completed their deferral period, preventing premature state changes.

    When a VIT is in multiple remediation tasks, (RT in the following tables), and its own state has not been set, the higher precedence group state determines the state of that VIT, as shown in the following table.

    Table 1. Vulnerable item states examples
    Remediation task state Vulnerable item state
    RT 1: Open > Under Investigation

    RT 2: Open

    		 Under Investigation

    When RT 1 is Under Investigation and RT 2 is Open, the VI changes to Under Investigation. After the search, between RT 1 and RT 2, RT 1 has the state with the highest precedence.
    RT 1: Under Investigation

    RT 2: Open > Under Investigation

    		 Under Investigation

    When RT 2 is Under Investigation and RT 1 is Under Investigation, the VI stays as Under Investigation. After the search, between RT 1 and RT 2, they have the state with the same precedence.
    RT 1: Under Investigation

    RT 2: Under Investigation > Awaiting Implementation

    		 Awaiting Implementation

    When RT 2 is Awaiting Implementation and RT 1 is Under Investigation, the VI changes to Awaiting Implementation. After the search, between RT 1 and RT 2, RT 2 has the state with the highest precedence.
    RT 1: Under Investigation > Deferred

    RT 2: Awaiting Implementation

    		 Deferred

    When RT 1 is Deferred and RT 2 is Awaiting Implementation, the VI changes to Deferred. After the search, between RT 1 and RT 2, RT 1 has the state with the highest precedence.
    Table 2. Vulnerable item in multiple groups special cases
    Remediation task State Vulnerable Item State
    RT 1: Under Investigation

    RT 2: Awaiting Implementation > Closed (Fixed or Cancelled)

    		 Under Investigation

    When RT 2 is Closed/Fixed or Closed/Cancelled, and RT 1 is Under Investigation, the VI changes from Awaiting Implementation (previously the highest precedence) to Under Investigation (currently the highest precedence).
    RT 1: any state

    RT 2: any state

    		 If the vulnerable item source status is Fixed (updated by a scan or import), then when the group changes its state, the vulnerable item changes its state to Closed/Fixed. This condition is true no matter what states the other associated groups are in. The vulnerable item search for the group state does not occur.
    When a VI state is set individually, its state is considered when evaluating precedence, as with any other remediation task. When a VI belongs to more than one remediation task, the following table lists the updates that are made.
    Table 3. Vulnerable item state set individually special cases
    Vulnerability item state within a group Vulnerable item final state
    RT 1 state: Under Investigation

    RT 2 state: Under Investigation > Awaiting Implementation

    Original VI state: Under Investigation > (set on the VI)

    		 Awaiting Implementation

    When RT 2 moved to Awaiting Implementation, and RT 1 remained Under Investigation, the VI changes to Awaiting Implementation (the highest precedence).
    RT 1: Under Investigation

    RT 2: Under Investigation > Awaiting Implementation

    Original VI state: Deferred > (set on the VI)

    		 Deferred

    When RT 2 moved to Awaiting Implementation, and RT 1 remained Under Investigation, the VI remains in the Deferred state (the highest precedence).
    The following table shows that when two remediation tasks with common vulnerable items are deferred, the state is deferred until the latest date is reached.
    Table 4. Vulnerable item deferred state special cases
    Vulnerability item state within a group Vulnerable item final state
    RT 1 state: In Review (until April 10)

    RT 2 state: Under Investigation > In Review (until April 30)

    Original VI state: In Review (until April 10) > (set on the VI)

    		 Deferred (until April 30)

    When RT 2 moved to Deferred (until Apr-30), and RT 1 remains Deferred (until Apr-10), the VI changes from Deferred (until Apr-05) to Deferred state (until Apr-30).
    RT 1: In Review (until July 15)

    RT 2: Under Investigation > In Review (until July 10

    Original VI state: Deferred > (until July 15)

    		 Deferred (until July 15)

    When RT 2 moved to Deferred (until Jul-10), and RT 1 remains Deferred (Jul-15), the VI remains in Deferred (until Jul-15).