Creating rules for application vulnerable items in the Software Bill of Materials Workspace

  • Release version: Zurich
  • Updated September 9, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Creating rules for application vulnerable items in the Software Bill of Materials Workspace

    To manage application vulnerable items (AVITs) within the Software Bill of Materials (SBOM) Workspace, you must first configure rules that define when AVITs are created. These AVITs identify vulnerabilities associated with third-party components in your applications based on ingested SBOM data.

    Show full answer Show less

    The SBOM Response and Vulnerability Response applications are required to automate AVIT creation and remediation using the Application Vulnerability Response workflow. AVITs help you evaluate and remediate risks from vulnerable components efficiently.

    Key Features

    • Rule-Based AVIT Creation: AVITs are generated automatically when imported SBOM data matches predefined rule conditions. Users with the snsbomresp.manageavirule role can create and manage these rules in the SBOM Workspace.
    • Visibility and Tracking: AVITs created from SBOM data are viewable within the SBOM Workspace and can be monitored alongside other vulnerable items in the Vulnerability Manager Workspace. The List Module consolidates AVITs, National Vulnerability Database (NVD), Common Weakness Enumeration (CWE) entries, and application vulnerabilities.
    • Remediation Assignment: You can assign AVITs for remediation using assignment rules informed by known vulnerability sources like NVD. This triggers remediation tasks (AVULs) that are automatically assigned to groups.
    • Integration with Vulnerability Manager Workspace: SBOM AVITs are accessible within the Vulnerability Manager Workspace, allowing you to filter and manage these items effectively. This workspace supports watch topics and comprehensive remediation workflows.
    • Reopening Closed AVITs: Closed AVITs automatically reopen if the vulnerability is detected again through scans or subsequent SBOM uploads, unless they are in specific substates (e.g., Mitigation Control in Place, Not Affected, False Positive) or if the system property to reopen AVITs is deactivated.

    Practical Considerations for ServiceNow Customers

    • Ensure that the SBOM Response and Vulnerability Response applications are installed and activated to utilize AVIT creation and remediation features.
    • Assign the snsbomresp.manageavirule role to users responsible for creating and managing AVIT rules.
    • Set up AVIT creation rules carefully in the SBOM Workspace to match your organizational vulnerability management policies and the types of components you want to monitor.
    • Use the Vulnerability Manager Workspace to track, filter, and remediate AVITs alongside other vulnerability data, leveraging assignment and remediation task rules.
    • Maintain the default behavior for reopening AVITs unless there is a specific reason to deactivate it, ensuring that vulnerabilities are continuously monitored even after closure.

    Before you can see application vulnerable items (AVITs) in the Software Bill of Materials (SBOM) Workspace, you must set up the conditions under which AVITs are created.

    AVITs in the SBOM Workspace

    If you’ve installed and activated the SBOM Response application, AVITs are created for SBOM files if any of the imported data matches the conditions of your existing AVIT creation rules.

    The SBOM Response and Vulnerability Response applications are required to set up rules for creating application vulnerable items (AVITs) automatically and remediating them with the Application Vulnerability Response workflow. See Exploring Software Bill of Materials for more information.

    As a user with the sn_sbom_resp.manage_avi_rule role, you must add AVIT creation rules in the SBOM Workspace before you can create AVITs for the vulnerabilities that are found in your ingested SBOM data. AVITs enable you to evaluate the integrity of the third-party components in your applications. An AVIT is created in your instance when an application is matched to a component that has an associated vulnerability.

    In the SBOM Workspace, you can view only SBOM AVITs. However You can view SBOM AVITs along with other types of vulnerable items in the Vulnerability Manager Workspace in Vulnerability Response. You can view all the AVITs that have been created in the SBOM Workspace in the List Module. The list module also includes all the NVD and CWE entries and Application Vulnerabilities.

    You can also assign AVITs for remediation based on recommendations from known vulnerability lists such as the National Vulnerability Database (NVD). A scheduled job is triggered, and if the conditions of your creation rules match the ingested data, AVITs are created.

    You can track and remediate AVITs by setting up customized rules.

    See Create an application vulnerable item rule in the Software Bill of Materials Workspace for information about how to create a rule.

    SBOM AVITs in Vulnerability Manager Workspace in Vulnerability Response

    You can view any SBOM AVITs that are created in the SBOM Workspace in the Vulnerability Manager Workspace if you have access to it.

    Note:
    To view only SBOM AVITs from the Application Vulnerable Items list in the Vulnerability Manager Workspace rather than all AVITs, set the condition [Source] [is] [SBOM] AND [Scan type] [is] [SBOM-SCA] on the Application Vulnerable Items [sn_vul_app_vulnerable_item] table. To view the table, navigate in your instance to All and enter sn_vul_app_vulnerable_item.list in the filter navigator.

    For more information about the Vulnerability Manager Workspace, how to view watch topics, application remediation efforts, and application remediation task rules for AVITs that are configured from the Vulnerability Response application in the Vulnerability Manager Workspace, see Use watch topics in the Vulnerability Manager Workspace.

    Remediation tasks (AVULs) are created from AVITs and assigned automatically to groups for remediation based on your assignment rules. For more information about how to create these rules, see the following topics:

    Reopening application vulnerable items in SBOM Response

    A Closed application vulnerable item (AVIT) for a component with an associated vulnerability is re-opened automatically and visible in the SBOM Workspace if the following conditions exist:
    • The AVIT with the associated vulnerability is detected again by a third-party integration's vulnerability scans or the component with the vulnerability is part of a subsequent SBOM upload.
    • You have not deactivated the Reopen AVITs if detected (sn_sbom_resp.reopen_avits_if_detected) system property. This system property is activated by default.
    • The substate of the Closed AVIT is not one of the following: Mitigation Control in Place, Not Affected, or False Positive. AVITs with these substates are not reopened by the system property.

    Deactivate this system property only if you do not want Closed AVITs to reopen automatically.