Application Vulnerability Response product view

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Application Vulnerability Response product view

    The Application Vulnerability Response (AVR) product in ServiceNow centralizes vulnerabilities detected by application security testing tools, providing a comprehensive view of the security posture across all applications in your environment. It streamlines risk reduction through remediation workflows and aligns with the Common Service Data Model (CSDM) framework to improve vulnerability management and application tracking.

    Show full answer Show less

    Key Features

    • Updated Terminology and Tables: Starting with AVR version 19.0, key tables and fields have been renamed to align with the latest framework, including changes from CI lookup rules to product model-based tables.
    • Integration with CSDM 4.0: AVR now uses the Product Model tables in the CMDB for vulnerability lookups, replacing the older Scanned Applications table. This enables more accurate application and version identification using Software Model and Application Model child tables.
    • System Property for Lookup Behavior: The system property snvul.useproductmodel controls whether AVR uses the new product model-based lookup (set to true) or the legacy configuration item (CI) lookup (set to false). This provides flexibility for both new and existing users.
    • Configurable Lookup Rules: Lookup rules can now be defined to target either the Configuration Item or Product Model, allowing tailored ingestion and association of vulnerabilities with application records.
    • Discovered Applications View: The Discovered Applications table shows all applications ingested from scanners. When using the product model lookup, this view reflects the corresponding product model records.

    Practical Considerations for ServiceNow Customers

    • Ensure you have the latest versions of prerequisite applications such as Security Support, Common Vulnerability Response, Security Integration Framework, and supported scanner integrations (e.g., Veracode, Fortify) for best functionality.
    • Configure the snvul.useproductmodel system property appropriately to align with your environment and CSDM framework adoption. New implementations should use the product model lookup for better alignment and data consistency.
    • When creating or updating lookup rules, explicitly set the Lookup target field to either Configuration Item or Product Model to avoid duplicates and ensure accurate vulnerability mapping.
    • Regularly verify that your lookup rules and system properties are correctly configured to prevent duplicate records and maintain clean data in your vulnerability response workflows.

    The Application Vulnerability Response (AVR) product ingests the weaknesses and vulnerabilities detected by your application security testing tools and provides a single pane of glass to understand the security posture of all the applications in your environment.

    AVR enables you to reduce the risks with the remediation workflows. The objective of this product view is to help you understand how AVR key entities work with the core CSDM framework.

    Updated terminology

    Starting with AVR v19.0, the following key table and column names have been updated. As a result, you will see references to both the older and newer names in the documentation.

    Table 1. Updated list of terms, table, and field names for AVR
    Prior to AVR v19.0 Starting from AVR v19.0
    CI lookup rules Lookup rules
    CI lookup rule form Lookup rule form
    CI matching rule Matching rule
    Search on table Search on CI table
    Search on field Search on CI field
    Application release Discovered applications
    Application release table Discovered applications table
    Business criticality Source business criticality

    Prerequisites

    Install the latest versions of the following applications:
    • Security Support Common
    • Vulnerability Response
    • Security Integration Framework
    • Security Support Orchestration
    • Scanner integrations such as Veracode and Fortify

    AVR and CSDM 4.0

    Prior to AVR v19.0, when application vulnerabilities were ingested, the application for which the vulnerabilities were ingested were looked up using the CI lookup rules, against the Scanned Applications (sn_vul_app_scanned_application). If the application name record was not there, an entry would be made.

    Starting from AVR v19.0, to align with the CSDM 4.0 framework, the Product Model tables are used instead of the Scanned Applications table. If the application has the version, the lookup is against the Software Model table. If there is no version, the lookup is against the Application Model table. Both Application Model and Software Model are child tables of the Product Model table, that is the foundation table in CMDB. The following screenshot explains the Product Model.

    System property

    To use the CSDM 4.0 product model-based lookup process, set the system property sn_vul.use_product_model to true.

    Table 2. System property considerations
    System property name System property value Lookup target value Considerations
    sn_vul.use_product_model true Select the value Product model New users should select the value Product model to use the CSDM 4.0 framework's Product model lookup rules.
    false Select the value Configuration item Existing users can continue using the CI lookup process and the existing CI lookup rules.
    Note:
    To set the lookup target value, navigate to the Lookup Rule page > [AVR integration lookup rule] > Lookup target field.

    Lookup rules in AVR

    In the CSDM 4.0 framework, product model-based lookup rules are used instead of CI lookup rules to create entries into the respective product model classes. Similarly for scripts, you can define the lookup rules within the framework of the CSDM 4.0 model.

    Starting from AVR v19.0, while creating a lookup rule, you must define whether you want to use the configuration item or product model approach using the Lookup target field. For more information, see Create a CI lookup rule.

    Discovered applications

    Navigate to All > Discovered Applications. The Discovered Applications table displays the applications ingested from the scanners. If the system property sn_vul.use_product_model is set to true, you can see the corresponding product models for the applications.

    AVR considerations

    Presence of duplicate CI or product model records

    Verify that the system property sn_vul.use_product_model has been correctly configured for the lookup process. Ensure that you select either Configuration item or Product model as the Lookup target while configuring the Lookup rule form.