Vulnerability Response applications and CSDM tables

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response applications and CSDM tables

    The Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations, and Software Bill of Materials (SBOM) applications in ServiceNow manage and utilize Common Service Data Model (CSDM) tables to handle vulnerability and asset data. These applications import asset information from third-party scanners, reconcile this with the Configuration Management Database (CMDB), and enhance vulnerability management by linking to CSDM objects. This integration supports automated remediation workflows and enriches vulnerability data with business context.

    Show full answer Show less

    Key Features

    • Data Integration: Assets imported from external vulnerability scanners are stored in specific tables such as Host Vulnerability Response Discovered Items and Application Vulnerability Response Discovered Applications, linking to corresponding CSDM tables.
    • CMDB Lookups: Imported data is matched against existing CMDB Configuration Items (CIs), enabling enrichment with non-discoverable attributes like Support Group or Classification, which can be used in automated assignment rules.
    • Scripted Rules for Automation: Customers can create scripted rules to query CSDM data (e.g., CI classification) to automate vulnerable item assignments and remediation workflows effectively.
    • Referenced CSDM Tables: Key tables used include Product Model [cmdbmodel], Application Model [cmdbapplicationproductmodel], Configuration Item [cmdbci], Business Service [cmdbciservicebusiness], Technology Management Service, and others supporting detailed asset and service modeling.
    • SBOM Integration: When uploading SBOM files, the system attempts to match products and business applications with existing CMDB records to ensure accurate linkage and vulnerability tracking.
    • Third-Party and NVD/CWE Integrations: Vulnerabilities imported from the National Vulnerability Database (NVD), Common Weakness Enumeration (CWE), and other scanners are reconciled with CMDB assets to create prioritized remediation tasks with risk scoring and business context.

    Key Outcomes

    • Improved Remediation Efficiency: Automated grouping, risk scoring, prioritization, and assignment of vulnerable items enhance security operations and reduce manual effort.
    • Enhanced Visibility and Context: Linking vulnerability data to CMDB and CSDM objects provides richer business context, improving decision-making and remediation prioritization.
    • Integrated Security Ecosystem: Integration with other ServiceNow products such as Security Posture Control, Governance, Risk, and Compliance, and DevOps environments (including GitHub Actions) extends security coverage and risk management capabilities.
    • Comprehensive Asset and Vulnerability Management: The combination of vulnerability response applications with CSDM tables ensures a unified view of enterprise assets, vulnerabilities, and remediation progress, supporting continuous security improvement.

    The Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications manage (contribute data to) CSDM tables. These applications also use data from CSDM tables that other applications generate. Several ServiceNow products, therefore, benefit from and add value to these Security Operations applications.

    Figure 1. The CSDM data framework and Vulnerability Response applications
    Tables highlighted that are referenced and used by the Vulnerability Response applications

    CSDM tables referenced by Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications

    As assets are imported from third-party vulnerability scanners (integrations), they are brought into Vulnerability Response and represented in specific tables:
    • Host Vulnerability Response Discovered Items.
    • Cloud and Container Vulnerability Response discovered images
    • Application Vulnerability Response Discovered Applications (product model)
    As part of the Security Operations CMDB configuration item (CI) look up, a search is performed to match a (CI) record from imported data with existing records in the CMDB.

    Each specific CI Record may contain non-discoverable attributes, for example, Support Group, or Classification, that are populated on the CI that can be used as input for vulnerable item assignment Rules. These attributes might be populated from Common Service Data Model (CSDM) synchronizations based on upstream Technical Service Offerings.

    If you want to leverage related CSDM objects for Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications, you need to use scripted rules.

    For example, to automatically assign vulnerable items for remediation using vulnerable item assignment rules, you might create a rule that leverages configuration item Classification values as they are updated on imported vulnerability entries. For this case, you need a scripted rule to query the target value you want from the related CSDM object.

    Below is an example of a scripted query that you might use to see if a CI has Java and is tied to a vulnerability entry.

    Scripting example that shows

    Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications reference the following tables. Refer to the CSDM data framework and Vulnerability Response applications image for more information.
    • The Product Model [cmdb_model] table (referenced by Application Vulnerability Response and Software Bill of Materials).
    • The Application Model [cmdb_application_product_model] table (referenced by Application Vulnerability Response and Software Bill of Materials).
    • The Configuration Item [cmdb_ci] table.
    • The Business Service [cmdb_ci_service_business] table.
    • The Service [cmdb_ci_service] table.
    • CMDB Group [cmdb_group] table.
    • Dynamic CI Group [cmdb_ci_query_based_service] table.

    CSDM tables used by Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications

    1. Product Model [cmdb_model] table (used by Application Vulnerability Response and Software Bill of Materials).
    2. Application Model [cmdb_application_product_model] table (used by Application Vulnerability Response and Software Bill of Materials).
    3. The Configuration Item [cmdb_ci] table.
    4. Business Application [cmdb_ci_business_app] (used by Application Vulnerability Response and Software Bill of Materials).
    5. Business Service [cmdb_ci_service_business].
    6. Technology Management Service [cmdb_ci_service_technical] table (formerly Technical Service).
    Note:

    When you upload Software Bill of Materials files, the SBOM applications try to match any Product Model and Business Applications you upload to those that already exist in your CMDB. You can link service instances (formerly called application services) or business applications to a product model.

    Products that add value to Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications

    Using the Vulnerability Response applications with the following ServiceNow products can benefit your organization.
    Third-party vulnerability scanners and integrations

    Imported vulnerabilities from the National Vulnerability Database (NVD) and detection data from third-party scanners are reconciled with the assets in your CMDB. When an imported vulnerability matches an existing asset, a vulnerable item is created. Vulnerable items are grouped automatically into tasks for remediation, risk-scored with business context, prioritized and assigned to appropriate teams for remediation. For more information and a list of integrations see Vulnerability Response integrations.

    The CWE Comprehensive 2000 and NVD Integrations

    Imported data from the NIST National Vulnerability Database (NVD) and Common Weakness Enumeration (CWE) integrations is used to enrich the vulnerability data in your instance and help you decide whether to escalate remediation for a vulnerability, vulnerable item, or remediation task. See Understanding the NVD integrations and Configure and run the scheduled job for updating CWE records for more information.

    Products that benefit from integration with Software Bill of Materials

    Security Posture Control

    Security Posture Control enables cybersecurity teams to get visibility into their complete enterprise asset inventory and determine their overall security posture. Policies in SPC can help you detect assets with vulnerability that you import with the Vulnerability Response applications to help you locate security tool coverage gaps.

    Governance, Risk, and Compliance

    Connect security and IT with an integrated risk program offering continuous monitoring, prioritization, and automation.

    DevOps

    Protect your environments from potentially harmful components during software development cycles with GitHub Actions that you initiate from your GitHub environment. Upload SBOM files to the ServiceNow AI Platform from your GitHub repositories.