Identify applications in Application Vulnerability Response automatically

Release version: Zurich

Updated July 31, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of Identify applications in Application Vulnerability Response automatically

Application Vulnerability Response (AVR) in ServiceNow automatically identifies applications related to vulnerabilities by matching imported third-party data against the Configuration Management Database (CMDB). This process leverages CI Lookup Rules to find and link applications to Application Vulnerable Item (AVI) records, facilitating effective remediation.

Show full answer Show less

How Application Identification Works

When vulnerability data is imported, AVR searches the Scanned Application table using sourceappid and appname to find existing application matches from prior imports.
If an application ID match is found, its details populate the Application and Application Release fields on the AVI record.
If no match is found, or the application ID is missing, other application attributes are used to attempt identification.
If still unmatched, a placeholder scanned application record is created with limited data (Application Name and ID).

CI Lookup Rules

CI Lookup Rules define the logic for matching applications and are evaluated in order, from lowest Order value upward, stopping at the first single match.
If a rule returns multiple matches, only the first is used.
These rules are source-specific and domain-separated; each integration deployment can have its own CI Lookup Rules.
The default lookup rules included with the Veracode Vulnerability Integration use Source Application Id and Application Name.
When a match is found, the rule responsible is recorded in the CI matching rule field on the Scanned Application record for easier tracking.
Rules should be deactivated rather than deleted to preserve configuration history, as deletions affect all integration deployments.

Performance and Best Practices

Importing vulnerability data and running CI Lookup Rules can be resource-intensive, potentially impacting instance performance if rules are inefficient.
It is critical to test any custom or modified CI Lookup Rules thoroughly before deployment to avoid long processing times or duplicate/orphaned records.
ServiceNow provides guidance on preventing and cleaning duplicate or orphan records created during the identification process.

Practical Implications for Customers

This automatic application identification enables customers to quickly and accurately associate vulnerabilities with the correct applications in their CMDB.
It enhances remediation effectiveness by ensuring the right application context is applied to vulnerability data.
Customers integrating third-party vulnerability sources should configure or customize CI Lookup Rules carefully to maintain performance and data integrity.
Using the default Veracode integration rules provides a ready-to-use mechanism for application matching out of the box.

When data is imported from a third-party integration, Application Vulnerability Response automatically uses application data to search for matches in the Configuration Management Database (CMDB). It does this using CI Lookup Rules. These rules identify applications for the application vulnerable item (AVI) record to aid in remediation.

As applications are imported, a lookup is performed on the Scanned Application [sn_vul_app_scanned _application] table using source_app_id and app_name to find matches to applications from prior imports. When an application ID match is found, its values are used in the Application and App release fields in the application vulnerable item record.

If a match is not found, or the application ID field is empty, the rules use the other application information to attempt to correctly identify the application. If a match is still not found, a placeholder scanned application record is created with only Application name and Application ID fields.

The Source Application Id and Application Name lookup rules are shipped with the Veracode Vulnerability Integration, by default.

Note:

Default CI lookup rules for Application Vulnerability Response are available only for the Veracode Vulnerability Integration.

When attempting a match, the lookup rules are evaluated by lowest Order value first. They stop when a rule returns a single CI as a match.

Note:

If a rule is created in such a way that it returns more than one CI, only the first match is used.

To make it easier to find matching issues, when a match is found, the CI lookup rule used to find it is added to the CI matching rule field for Scanned Applications. Click the Update Personalized List gear icon at the top of the Scanned Application list view to add it to the view.

Note:

Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.

CI lookup rules can be domain separated and are source-specific. If supported, each source could have multiple deployments. For example, the Veracode Vulnerability Integration, can have multiple deployments of the Veracode Vulnerability Integration. Each deployment has its own set of CI Lookup Rules.

Note:

CI lookup rules are shared by all deployments of the vulnerability integration. If a rule is deleted or modified, the deletion or changes affect all deployments of the vulnerability integration.

Importing vulnerability data can be taxing on an instance and performance issues with resources can occur if rules are not carefully constructed. The logic used to iterate through and perform matching within the CMDB can result in lengthy processing times. To avoid any potential degradation of resources or performance complications, test any custom-written CI Lookup Rules or modifications to pre-defined CI Lookup Rules. See Prevent duplicate or orphaned records after running Application Vulnerability Response CI lookup rules for more information on preventing duplicate orphan records, deleting data, and cleaning up data.