Checking a Software Bill of Materials entity for vulnerabilities

  • Release version: Zurich
  • Updated September 9, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Checking a Software Bill of Materials entity for vulnerabilities

    This process helps ServiceNow customers determine if any vulnerabilities exist within the components listed in an uploaded Software Bill of Materials (SBOM) file. It requires specific applications and integrations to be installed and activated to view detailed vulnerability data and remediation options.

    Show full answer Show less

    Prerequisites

    • SBOM Response application
    • Vulnerability Response application
    • Integration with National Vulnerability Database (NVD) and Common Weakness Enumeration (CWE) scheduled jobs
    • Role required: snsbomresp.sbomanalyst

    How to Check Vulnerabilities

    Navigate to All > SBOM Workspace > Components to view vulnerability information using either:

    • BOM Entities with Vulnerabilities visualization: Displays components with associated vulnerabilities and totals in CVE (Common Vulnerabilities and Exposures) and CWE columns. You can also check fixability status if available. If these columns are missing, add them via the gear icon and edit columns feature.
    • Component record: Select a component from the list and access its Vulnerabilities tab to see any reported vulnerabilities. Follow remediation workflows as described in Application Vulnerability Response documentation when vulnerabilities are found.

    Assessing Risk with Enhanced Vulnerability Intelligence

    With the required applications and integrations, you can access enhanced vulnerability data on component records:

    • Use the All Components visualization to view component lists and open detailed records.
    • Component states such as Stale, Abandoned, and Vulnerable are displayed under the component name, helping assess risk based on version usage.
    • Review version history and details to understand why a component might be vulnerable or outdated.

    Component Record Tabs and Their Functions

    • Overview: Summary of the component details.
    • BOM Entities: Lists entities associated with the component.
    • Hashes: Displays import hashes if available.
    • Vulnerabilities: Shows known vulnerabilities with CVE and CWE data, including severity and exploitability. Links to detailed vulnerability records in Vulnerability Response or Application Vulnerability Response applications are provided.
    • AVIs (Application Vulnerable Items): Displays vulnerabilities linked to this component based on AVIT creation rules. Supports tracking of application-level vulnerabilities.

    Next Steps

    Use the vulnerability information to initiate remediation workflows via Application Vulnerability Response. Create AVIT rules to associate components with vulnerabilities more effectively and maintain secure software components within your environment.

    Determine whether any vulnerabilities are associated with the components in an uploaded Software Bill of Materials (SBOM) file.

    The following applications must be installed and activated before you can view the vulnerabilities and enhanced vulnerability data:
    • SBOM Response
    • Vulnerability Response Integration with NVD and CWE jobs
    • Vulnerability Response
    See Exploring Software Bill of Materials for more information.

    Role required: sn_sbom_resp.sbom_analyst

    1. Navigate to All > SBOM Workspace > Components.
    2. you can view vulnerability information either through a visualization or a component record.
      Method Actions
      BOM Entities with Vulnerabilities visualization Select the BOM Entities with Vulnerabilities visualization graph.
      • If vulnerabilities are associated with this component, the totals are displayed in the CVE and CWE columns on the list. A component can have more than one vulnerability. If available, you can check the Fixability column on this list for entries.
      • If no vulnerabilities are associated with this component, these columns display 0 or no values for the component.

      If the CVE, CWE, and Fixibilty columns are not displayed, you can add them to the page by selecting the gear icon Gear icon on the upper right of the page and Edit columns. Select them from the Available column list and select OK.
      Component record
      1. Select a record from the list below the visualizations.
      2. Select the Vulnerabilities tab on the record.
        1. If no data is displayed, no reported vulnerabilities are associated with the record.
        2. If data is displayed, see Reviewing the Components module in the Software Bill of Materials Workspace and follow the steps in the remediation workflow for Application Vulnerability Response to address the vulnerability.

          For more information, see Remediating Application Vulnerability Response vulnerabilities.

    Assessing your risk with vulnerability intelligence

    View more enhanced vulnerability data with SBOM Response on component records. The SBOM Response application, Vulnerability Response, National Vulnerability Database (NVD) Integration and Common Weakness Enumeration (CWE) scheduled jobs described in Supported applications must be installed and activated.

    1. Select the All Components visualization to view its list of associated records.
    2. Select a link in the Name column to open a record.

      The States, Stale, Abandoned, and Vulnerable are displayed under the component name. A component can have any combination of these states. If no state is displayed, the component is not stale, abandoned, or vulnerable.

      Review the current version and the latest published version. In the right panel, you can view a version history. The current version is highlighted in the version history and its location in the list may provide you with insight as to why a component is Stale, Abandoned, and Vulnerable. For example, you might be using an older version of a component.

    3. Select the Overview, Hashes, BOM Entities, Vulnerabilities, and AVIs related tabs on the record.
      • Overview - A summary of the component details.
      • BOM Entities - A list of the entities associated with this component.
      • Hashes - If imported, hashes are displayed.
      • Vulnerabilities - Information about known vulnerabilities associated with this component. If this list is empty, there are no known vulnerabilities.

        If the list is populated, select the tab to view vulnerability IDs, summaries, and other vulnerability information for Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) data associated with this record. CVEs are broken down by severity, CWEs are broken down by how likely the component can be exploited. You can view the enhanced vulnerability records in the Vulnerability Response or Application Vulnerability Response applications by selecting the vulnerability ID link.

      • AVIs (AVITs) - Application vulnerable items associated with this component if you have created AVIT creation rules that match the component to a known vulnerability. The Application Vulnerability Response application (AVR) relates a vulnerability to an application to create an AVI record. For more information, see Creating rules for application vulnerable items in the Software Bill of Materials Workspace.