Assessment tab

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Assessment tab

    The Assessment tab in the Vulnerability Assessment Workspace enables ServiceNow customers to review detailed vulnerability assessment results for vulnerability events. After performing an assessment, the system correlates vulnerability data from Software Bill of Materials (SBOM) and Software Asset Management (SAM) with Configuration Management Database (CMDB) records, providing comprehensive insights through visualizations and detailed tables.

    Show full answer Show less

    How the Assessment Works

    • By clicking the Assess button, an assessment is initiated for all related Common Vulnerabilities and Exposures (CVEs) and affected products using data from both SAM and SBOM.
    • A background job processes the assessment, identifying Vulnerable Items (VITs) and Application Vulnerable Items (AVITs) related to the CVEs.
    • The assessment identifies all vulnerable items and related Configuration Items (CIs), displaying them in the affected configuration items table.
    • If CIs are newly identified, they are added to the table with the Has vulnerable item flag set to true and the Source field set to Scanner.
    • If CIs already exist in the table, only the flag is updated without changing the source.
    • A scheduled Vulnerability Assessment job updates the affected CIs table when new vulnerable items are created after the initial assessment.
    • The Assessment tab is accessible only for newly created assessments and shows status updates, requiring a page refresh to see progress changes.

    Key Features

    • Visualizations and Widgets: The tab displays multiple widgets summarizing the assessment data:
      • Configuration Items (Host/Infra): Shows counts of total CIs with and without vulnerable items.
      • Scanned Applications: Displays the total number of applications scanned with application vulnerable items (AVITs), including primary and secondary CVEs.
      • BOM Components and Product Models: Summarizes total components and product models, distinguishing those with and without application vulnerable items.
      • Configuration Items by Assessment Source: A stacked bar chart showing affected CIs categorized by the source of assessment.
      • Configuration Items by CI Class (Installation Assessment): A pie chart representing affected CIs grouped by their CI class.

    Practical Benefits for ServiceNow Customers

    • This tab provides a consolidated view of vulnerability impact across infrastructure, applications, and components, enabling effective prioritization and remediation planning.
    • Integration with SBOM and SAM ensures assessments reflect accurate, up-to-date software and asset information.
    • Automated updates via scheduled jobs maintain continuous accuracy of affected CIs as new vulnerabilities are discovered.
    • Visual summaries and detailed listings help security and IT teams quickly understand the scope and source of vulnerabilities, supporting faster decision-making.

    Review the assessment results in the assessment tab. After you perform an assessment of the vulnerability event, the record is correlated against the data from Software Bill of Materials and Software Asset Management and displayed with visualisations.

    The assessment tab populates data (if available) based on the assessment record that you create and correlates the details against assessments from Software Asset Management and Software Bill of Materials component data in the CMDB.

    How the assessment works

    On selecting the Assess button, an assessment for all the related CVEs and affected products using both Software Asset Management and SBOM data is initiated. A background job is triggered and when the assessment is processed the VITs or AVITs associated with the vulnerable entries or CVEs display in the Vulnerable Items and Application Vulnerable Items tabs.
    • All the vulnerable items or TPEs related to the CVE are identified.
    • The Configuration Items (CIs) related to the vulnerable items are also identified and display in the affected configuration items table.
    • If the CIs are not present in the affected CI table, the identified CIs are added to the table and the Has vulnerable item flag is turned to true, and the Source field's value is set to Scanner.
    • If the CI already exists in the affected configuration items table, only the Has vulnerable item flag is set to true and the Source remains unchanged from when the assessment record was created.
    • If vulnerable items are created after the assessment a Vulnerability Assessment scheduled job is run to update the affected CIs table and the source of the CI.
    • On the Assessment workspace, you can view timestamps to see the last assessment of the events. The Assessment tab is visible only when the new assessments are created. If the assessment is in progress state, then the last assessment status will appear as the assessment is in progress. To view the updated assessment status, you need to refresh the page. Once the assessment is completed, the user will be able to see all the related tabs for that assessment.
    Figure 1. Vulnerability Assessment Workspace- Assessment Tab
    Assessment Tab
    The assessment details displays for the following widgets.
    • Configuration Items (Host/Infra)
    • Scanned Applications
    • BOM Components and Product Models
    • Configuration Items by CI Class (Installation Assessment)
    • Configuration Items by Assessment Source – Displays the Affected Configuration Items list.

    Data visualizations

    Name Type Description
    Configuration Items (Host/Infra) Single Score Displays the count of CIs with and without VIs.

    The Configuration Items widget displays the total count of CIs that are found to be associated with the assessment record. The widget further displays the configuration items with vulnerable items and without vulnerable items.
    Scanned Applications Count Total count of applications scanned with AVITs.
    Note:
    You can view the count of scanned applications for both primary and secondary CVEs.
    BOM Components and Product Models Single Score Total Component count, Product model count, With Application Vulnerable Items, Without Application Vulnerable Items count.
    Configuration Items by Assessment Source Stacked bar Affected Configuration Items stacked by the assessment source.
    Configuration Items by CI Class (Installation Assessment) Pie Chart Configuration Items stacked by CI Class.