Components installed with Application Vulnerability Response
Several types of components are installed with activation of the Application Vulnerability Response feature, including tables, user roles, and scheduled jobs.
Starting with v24.0.6 of Application Vulnerability Response, the most frequently used system properties are now accessible within the Application Vulnerability Response application. To view these system properties, navigate to Application Vulnerability Response.
Note:
The Application Files table lists the components that are
installed with this application. For instructions on how to access this table, see Find components installed with an
application.
Demo data is available for this feature.
Roles installed
Granular roles in Application Vulnerability Response are assigned to specific User Groups, by default.
Note:
Using granular roles outside these user groups requires coding and advanced Application Vulnerability Response or ServiceNow expertise.
| Role title [name] | Description | Contains roles |
|---|---|---|
| V20.0: sn_vul.app_manage_auto_exception_rule | Create, update, delete, and cancel (deactivate) exception rules. | sn_vul.app_read_auto_exception_rule |
| sn_vul.app_manage_group_rules | Read, write, delete, and all operations on application remediation task rules. |
|
| V20.0: sn_vul.app_exception_approver | Approves exception rules and exception rule extension requests. Starting from v20.0, the granular role, sn_vul.app_read_all, has been removed for this role so that you can access the application vulnerable items and remediation tasks assigned to you and your group instead of all the application vulnerable items and remediation tasks. |
|
| sn_vul.app_false_positive_approver | Approves or rejects false positive requests. | sn_vul.view_manager_workspace |
| sn_vul.app_read_assigned | View application vulnerable items (AVIs) assigned to you either in both the Classic UI and IT Remediation Workspace. Important: Starting with v24.0 of Vulnerability Response, the sn_vul.app_read_assigned role has the privilege to access the IT Remediation Workspace. |
sn_vul.view_rem_workspace |
| sn_vul.app_read_all | View all AVIs and related information either in the Classic UI or Vulnerability Manager Workspace. Important: Starting with v24.0 of Vulnerability Response, the sn_vul.app_read_all role has the privilege to access the Vulnerability Manager Workspace. |
sn_vul.view_manager_workspace |
| sn_vul.app_write_assigned | Update AVIs assigned to you. | |
| sn_vul.app_write_all | Update all AVIs and related information. | |
| sn_vul.app_update_assignment_group | Update AVI Assignment group. |
Note:
When used outside of the default user group requires sn_vul.app_write_all or sn_vul.app_write_assigned. |
| sn_vul.app_update_assigned_to | Update AVI assignee. |
Note:
When used outside of the default user group requires sn_vul.app_write_all or sn_vul.app_write_assigned. |
| sn_vul.app_configure_integrations | Configure third-party integrations. |
sn_vul.app_read_all sn_vul.app_read_integrations sn_sec_int.admin sn_vul_veracode.configure_integration sn_vul.configure_nvd_administration Note:
To define or edit an App-Sec Manager user group by single or specific integrations, see Vulnerability Response personas and granular roles. |
| sn_vul.app_read_integrations | View all third-party integrations. | |
| sn_vul_veracode.configure_integration | Define, update, and delete Veracode integrations. | |
| sn_vul.app_manage_assignment_rules | Define, update, and delete AVI assignment rules. |
sn_vul.app_read_all sn_vul.app_read_assignment_rules |
| sn_vul.app_read_assignment_rules | View assignment rules. | |
| sn_vul.app_manage_remediation_target_rules | Define, update, and delete AVI remediation target rules. |
sn_vul.app_read_all sn_vul.app_read_remediation_target_rules |
| sn_vul.app_manage_risk_score_configurations | Define, update, and delete AVR calculators and risk rules. |
sn_vul.app_read_all sn_vul.app_read_risk_score_configuration sn_sec_cmn.calc.write |
|
sn_vul.app_read_risk_score_configuration |
View AVR calculators and risk rules. | |
| sn_vul.app_manage_applications | View, update, and delete application records. | |
| sn_vul.app_manage_app_sc | Gives a Security Champion the ability to add or remove themselves from the Scanned Application related list. | |
| sn_vul.app_pa_sc_view | Provides relevant view to the specific Security Champion. | |
| sn_vul.app_manage_app_vul_permissions | [internal] Used by sn_vul.app_manage_applications. | |
| sn_vul.app_manage_normalized_severity | Update mapping to normalized severity. | sn_vul.app_read_normalized_severity |
|
sn_vul.app_read_normalized_severity [Removed in v12.1. Don’t use.] |
View normalized severity records. | |
| sn_vul.app_read_application_release | View application release records. | |
| sn_sec_int.admin | Provides access to integrations. | |
|
pa_power_user |
Provides access to reports | pa_viewer |
| sn_vul.app_sec_manager | Prioritizes and manages application vulnerable items. | |
| sn_vul.app_developer | Developer responsible for fixing the application vulnerabilities. | |
| sn_vul.app_create_watch_topic | Create Watch Topics for application vulnerabilities. | |
| sn_vul.app_read_watch_topic | Read Watch Topics for application vulnerabilities. | |
| sn_vul.app_edit_watch_topic | Edit Watch Topics for application vulnerabilities. | |
| sn_vul_blackduck.configure_integration | Configure third-party integrations. | sn_vul_blackduck.configure_integration |
Scheduled jobs installed
For Vulnerability Response shared scheduled jobs see, Components installed with Vulnerability Response.
| Scheduled job | Description |
|---|---|
| Associate existing AVIs with Auto Exception Rule | Evaluates application vulnerable items for matches to exception rules. |
| Populate Entry and CVE M2M | Makes existing records consistent with multiple CWE records. Run once after upgrade to populate then disable. |
| Resync primary CWE | For customized primary CWE calculations. Run once after upgrade to resync then disable. |
| Rollup application vulnerable item values to vulnerability and group | Calculates vulnerabilities and group roll ups for application vulnerable items. Note: Starting with v23.0 of Application Vulnerability Response, the scheduled job is enhanced to create background jobs with multithreading capabilities. This upgrade involves segmenting the job into several smaller child jobs,
which are executed either in parallel or concurrently. This modification enables processing of multiple records simultaneously, thus significantly speeding up the overall task. |
| Black Duck Project List Integration | Pulls and ingests data into the Black Duck projects table. |
| Black Duck Application List Integration | Imports applications into discovered applications table for all the project versions available with Black Duck Integration in projects table. |
| Black Duck Application Vulnerable Item Integration | Ingests vulnerable items into ServiceNow application based on the vulnerabilities detected by scanners for every discovered application in the system. |
Tables installed
| Table | Description |
|---|---|
| Application Release [sn_vul_app_release] |
Contains application version information. |
| Version 13.0: Application Security Champions [sn_vul_app_m2m_app_sc] |
Contains the Application Vulnerability Response Security Champion group records. |
| Application Vulnerability Entry [sn_vul_app_vul_entry] |
Contains application vulnerability entries. |
| Application Vulnerability Integration [sn_vul_app_integration] |
Contains Application Vulnerability Response integration records. |
| Application Vulnerability Scan Location [sn_vul_app_vul_scan_location] |
Contains third-party scan location information. |
| Application Vulnerability Scan Summary [sn_vul_app_vul_scan_summary] |
Contains third-party scan summary information. |
| Application Vulnerable Item [sn_vul_app_vulnerable_item] |
Contains AVI records. Starting with v19.0, the following columns are added for Software Bill of Materials:
|
| Scanned Application [sn_vul_app_scanned_application] |
Contains application information. |
| State Map [sn_vul_app_state_map] |
Contains state mapping from third-party integrations to application vulnerable item (AVI) states. |
| Vulnerability CWEs [sn_vul_m2m_entry_cwe] |
Links CVE data to application vulnerable entries. |
| Application Remediation Task Manifest sn_vul_app_rt_manifest |
Any updates on remediation task are done by using this manifest table by scheduled jobs. |
| Application Remediation Task sn_vul_app_vulnerability |
Contains application remediation tasks. |
| Application Remediation Task Item sn_vul_app_m2m_vul_group_item |
M2M table between AVI and application remediation tasks. |
| Version 21.0: Application Vulnerable Items sn_vul_app_vulnerable_item |
Contains AVI records. |
| Version 21.0: Package [sn_vul_app_package] |
Contains application package details. |
| Version 21.0: Licenses sn_vul_app_license |
Contains application licenses. |
| Version 21.0: Application Remediation Tasks sn_vul_app_vulnerability |
Contains application remediation tasks. |
| sn_vul_blackduck_config | Contains Black Duck integration configuration details. |
| sn_vul_blackduck_project | Contains details of the projects coming from Black Duck. |
| sn_vul_blackduck_project_import | Import set table for the Black Duck project ingestion. |
| sn_vul_blackduck_app_import | Import set table for the Black Duck application ingestion. |
| sn_vul_blackduck_avit_import | Import set table for the Black Duck AVIT ingestion. |