Application Vulnerable Item (AVI) states

  • Release version: Zurich
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Application Vulnerable Item (AVI) states

    Application Vulnerability Response in ServiceNow provides a structured state model to manage the lifecycle of Application Vulnerable Items (AVIs). Understanding the AVI states and their transitions is essential for effectively tracking, assessing, and remediating vulnerabilities detected in your applications. The AVI states are synchronized with remediation statuses imported from third-party tools like Fortify, ensuring real-time visibility and control over vulnerability management activities.

    Show full answer Show less

    Key States and Their Functions

    • Open: This is the default state when an AVI is created. From here, you can review detailed vulnerability information, mark items as false positives, request exceptions to defer remediation, resolve the AVI with notes, or close it with a reason.
    • Deferred: Triggered by requesting an exception, this state defers remediation until a specified date. It requires approval and remains “In Review” until closed or transitioned.
    • Under Investigation: Indicates active analysis of the vulnerability. Similar actions as in Open state are available, including transitioning to Awaiting Implementation.
    • Awaiting Implementation: Manually assigned when the fix is ready but not yet applied. This state allows setting remediation commitment dates and plans. After implementation, the AVI can be resolved or closed.
    • Resolved: Marks that remediation work is complete. Users can add resolution notes and either close the AVI or reopen it if necessary.
    • Closed: Final state indicating the AVI is closed. It can be reopened to return to the Open state if needed.
    • Reopen: Available from certain states to return an AVI to Open for further action.

    Practical Considerations for ServiceNow Customers

    The State field on AVIs is read-only and transitions are controlled via defined workflows and user actions aligned with your remediation process. Key actions such as marking false positives, requesting exceptions, resolving, and closing AVIs help manage risk and compliance effectively.

    Manually transitioning AVIs to “Awaiting Implementation” supports tracking remediation progress, ensuring visibility into when fixes are planned versus when they are implemented.

    Integration with tools like Fortify enriches AVIs with detailed vulnerability data, improving decision-making and prioritization.

    Application Remediation Task States

    In addition to AVIs, Application Remediation Tasks follow a defined state progression reflecting the remediation lifecycle: Open → Under Investigation → Awaiting Implementation → In Review → Resolved → Deferred → Closed. Actions such as deferring, resolving, and closing tasks align with similar states in AVIs. From version 23.0, remediation task closure is managed automatically by the scanner, eliminating manual Close button usage.

    These states enable streamlined tracking and automated enforcement of remediation workflows, reducing manual intervention and improving remediation governance.

    Application Vulnerability Response offers a state model for the status of your application vulnerable items (AVIs), at any given time. Knowing how each state relates to and affects each other helps you to determine when and how to remediate your AVIs.

    Application Vulnerable Item states

    Understanding how states work helps with creating or editing application vulnerable item (AVI) rules. AVIs have several possible states that are mapped from imported Remediation status from the third-party integration. In an AVI, the State field is read-only.

    Table 1. Application Vulnerability Response state flow diagram
    State Description
    Open State upon creation. From this state you can:
    V16: Get More Details
    Get the following information about an AVI imported from Fortify:
    • Vulnerability summary
    • Vulnerability explanation
    • Recommendation
    • References
    • Request
    • Response
    V16: Mark as false positive
    Mark an item as false positive if the scanner reports that a vulnerability exists in the system, but in reality there is no vulnerability.
    V16: Request exception
    Request an exception, a reopen (Until) date, a reason, and optionally, provide addition information. Defers the remediation of the item until the date till which an exception is requested.
    V15: Close
    Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI.
    V15: Resolve
    Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
    Deferred V15: This is triggered by the Request Exception option. As part of the approval workflow, the Deferred state is In Review and cannot be closed until approved.

    From this state you can:

    V16: Get More Details
    Get the following information about an AVI imported from Fortify:
    • Vulnerability summary
    • Vulnerability explanation
    • Recommendation
    • References
    • Request
    • Response
    Reopen
    Transitions a closed or resolved AVI back to an Open state.
    Close
    Select the Closed state, a reason, and provide addition information. Closes the AVI.
    Under Investigation Select this option from the State list. From this state you can:
    V20.0
    Manually transition a remediation task or AVI record to Awaiting Implementation.
    V16: Get More Details
    Get the following information about an AVI imported from Fortify:
    • Vulnerability summary
    • Vulnerability explanation
    • Recommendation
    • References
    • Request
    • Response
    V16: Mark as false positive
    Mark an item as false positive if the scanner reports that a vulnerability exists in the system, but in reality there is no vulnerability.
    V16: Request exception
    Request an exception, a reopen (Until) date, a reason, and optionally, provide addition information. Defers the remediation of the item until the date till which an exception is requested.
    V15: Close
    Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI.
    V15: Resolve
    Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
    Awaiting Implementation

    You can only transition records to this state manually by selecting Awaiting Implementation from AVI and remediation task records in the Under Investigation state. From this state you can:

    Open
    Transitions AVI back to an Open state.
    Under Investigation
    Get more information for resolution. Transitions to Under Investigation.
    Resolve
    Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
    Close
    Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI.

    In this state, Transition a record into Awaiting Implementation when your research and work on a task is complete and although a fix is ready for implementation, it is not yet available.

    Set the Remediation Commitment date and Remediation plan fields.

    After implementation, you resolve or close the records.
    Resolved Triggered from the Resolve button. From this state you can:
    V16: Get More Details
    Get the following information about an AVI imported from Fortify:
    • Vulnerability summary
    • Vulnerability explanation
    • Recommendation
    • References
    • Request
    • Response
    Reopen
    Transitions back to an Open state.
    Close
    Select the Closed state, a reason, and provide addition information. Closes the group.

    Notes and Resolution information appear under the Notes tab.
    Closed Triggered from the Close button. From this state you can:

    Reopen: Transitions back to an Open state.
    Note:
    Refer to the Integrating Application Vulnerability Response with other applications for understanding different integrations that sourced the AVI.

    Application Remediation Task states

    From the creation to closure of an Application Remediation Task, the Application Remediation Task transitions through various states during the entire remediation process.

    The state precedence is as follows:

    Closed > Deferred > Resolved > In Review > Awaiting Implementation > Under Investigation > Open

    The state transition happens as you perform various actions such as Defer, Open, Close, etc.

    The actions you can perform on an Application Remediation Task at a specific state is similar to that of a Host Remediation Task. Hence, for more information, see the Vulnerability Response remediation task states and State roll-up and roll-down scenarios in the Vulnerability Response documentation.

    Note:
    Starting with v23.0 of Vulnerability Response, the Close button has been removed to ensure that the closure of the Remediation task is driven by the scanner.