Understanding the NVD integrations

  • Release version: Zurich
  • Updated September 2, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding the NVD integrations

    The NVD integrations in ServiceNow utilize data imported from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) to help you assess the impact and prioritize vulnerabilities in your code. These integrations are essential to run during the initial setup of Vulnerability Response and before importing vulnerability data from third-party scanner products.

    Show full answer Show less

    The NIST NVD provides both Common Vulnerabilities and Exposures (CVE) and Common Platform Enumeration (CPE) data, which seamlessly integrate with ServiceNow’s Vulnerability Response to enrich your vulnerability data. The integrations run as scheduled jobs, keeping your instance synchronized with current vulnerability information.

    Key Features

    • Automatic Scheduled Jobs: The primary integration, NIST National Vulnerability Database Integration-API (CVE only), runs daily by default, ensuring your vulnerability data remains up to date.
    • Multiple Integration Options: Includes separate integrations for CVE data, CPE data, and unmapped CPE data. Only the CVE-only integration is active by default; others require manual activation.
    • Data Enrichment: Imports CVE, CPE, and Common Weakness Enumeration (CWE) data to enrich Vulnerability Response records before importing third-party scanner data.
    • Third-Party Library Integration: Supports ingestion of vulnerability data from third-party products (e.g., Qualys) which reference NVD data, providing a unified, enriched vulnerability view.
    • Run-As User Configuration: Integrations use a configured run-as user (default is VR.System) which should not be changed to ensure proper operation.
    • Licensing Note: Activating these plugins on production instances may require separate licensing.

    Practical Guidance for ServiceNow Customers

    • Before importing third-party vulnerability data, install and run at least the CVE-only NVD integration along with the CWE integration to enrich your Vulnerability Response data.
    • Schedule the CWE updates prior to running the NVD updates (default NVD update runs weekly on Mondays).
    • Verify successful initial imports of CVE and CPE data to ensure your vulnerability data is comprehensive and current.
    • Access and manage NVD integrations via Vulnerability Response or Application Vulnerability Response > Administration > Integrations.
    • Use the integration run statuses to monitor import success and troubleshoot as needed.
    • Deactivate or avoid using the deprecated combined CVE and CPE integration; instead, use the separate integrations available.

    Expected Outcomes

    By properly configuring and running the NVD integrations, your ServiceNow Vulnerability Response application will:

    • Maintain up-to-date vulnerability data directly linked to authoritative NVD sources.
    • Provide enriched insights into vulnerabilities by correlating CVEs, CWEs, and CPEs with third-party scanner data.
    • Enable more accurate impact analysis and prioritization of vulnerabilities across your environment.
    • Simplify vulnerability remediation workflows through automated and scheduled synchronization with NVD and third-party libraries.

    The NVD integrations use data imported from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) product to help you determine the impact and priority of flaws in your code. Run this integration as part of your initial setup of Vulnerability Response and prior to importing vulnerability data into your instance with a third-party scanner product.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    The NIST NVD collects both Common Vulnerabilities and Exposures (CVE) and Common Platform Enumeration (CPE) data and makes that data available to the ServiceNow AI Platform®. It easily integrates with Vulnerability Response to map CVE and CPE vulnerabilities enriching the data in your instance.
    Important:
    There’s a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.
    After it’s installed, the NIST National Vulnerability Database Integration-API (CVE only) integration is invoked automatically as a scheduled job and runs daily. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.
    Tip:
    Activation of this plugin on production instances may require a separate license.

    Available versions

    Release version Release Notes

    Vulnerability Response Integration with NVD v1.2

    Initial import of vulnerability data with the NVD and CWE integrations

    1. Perform an initial import of CWE data with the CWE Comprehensive 2000 Integration.

      See Configure and run the scheduled job for updating CWE records. You perform CWE updates On Demand from the integration record by default, and, you must configure it.

      Note:
      Schedule the CWE update to run prior to the NVD database update. The default day for the NVD update is Weekly on Monday.
    2. Verify the Vulnerability Response Integration with NVD application is installed and an initial data import from either the NIST National Vulnerability Database Integration - API (CVE only) or the NIST National Vulnerability Database Integration - API (CVE and CPE) is successful.

      For CPEs, verify an initial data import from the NIST National Vulnerability Database Integration - API (CPE only) is successful.

      Activation of this plugin on production instances may require a separate license. After the plugin is installed, the NIST National Vulnerability Database Integration - API (CVE only) is activated by default. It runs daily. See Install the Vulnerability Response Integration with the NIST National Vulnerability Database for more information.

    3. Third-party libraries are updated as scheduled jobs. Refer to your integration documentation at Vulnerability Response integrations for more information about third-party integrations.

    Understanding imported vulnerability data and vulnerable items

    In your ServiceNow AI Platform instance, each imported vulnerability is represented by a vulnerability entry in the source libraries of third-party scanner products like Qualys, for example. The vulnerable items (VI)s that are imported and updated in your instance are references to third-party libraries, such as the Qualys library. A third-party library can, in turn, reference back to the NVD.

    For example, when you ingest third-party vulnerability data from a product like Qualys, you're ingesting VIs that reference a QID (Qualys Identifier). In the case of Qualys, that QID in turn references a CVE from the NVD library. When you click that QID in a remediation task or vulnerable item record in the Vulnerability Response application, and you've run the NVD and CWE integrations to ingest data, you are viewing current, enriched vulnerability data that lets you see the relationships that exist between your VIs and CVEs, CWEs, and CPEs.

    Before you run a third-party scanner product like Qualys that has its own library, you must first install and run, at a minimum, the NIST National Vulnerability Database Integration- API (CVE only) integration (also includes CISA-related details), CWE Integration to ingest vulnerability data. These NVD and CWE data imports enrich your Vulnerability Response or Application Vulnerability Response data prior to importing data with a third-party product.

    For more information about managing the NVD, CWE, and third-party libraries and viewing them, see Importing data with the NVD and CWE integrations and managing third-party libraries and View Vulnerability Response vulnerability libraries.

    After you verify the successful NVD import, to further enrich your vulnerability data, Configure and run the scheduled job for updating CWE records.

    Perform the NVD and CWE imports prior to importing vulnerability data with a third-party product. Third-party libraries are updated as scheduled jobs. Refer to your integration documentation at Vulnerability Response integrations for more information about third-party integrations.

    Locating the NVD integrations

    To view the NVD integrations, navigate to Vulnerability Response or Application Vulnerability Response > Administration > Integrations.

    The following integrations are included in the base system.
    Note:
    Only the NIST National Vulnerability Database Integration - API (CVE only) integration is active, by default.
    Table 1. NVD integrations
    Integration Description
    NIST National Vulnerability Database Integration - API (CVE only) Retrieves only NIST NVD vulnerability data (CVE). By default, this integration is automatically set to run daily.
    NIST National Vulnerability Database Integration-API (CPE only) Retrieves CPE data from NIST NVD. This integration is inactive by default.

    Activate this integration if you want to capture CPE data that includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. This information is stored in Vulnerable Software.

    This integration is set to run daily and is inactive by default. To activate this integration, see Activate the NIST National Vulnerability Database–API (CPE only).
    NIST National Vulnerability Database Integration-API (Unmapped CPE) Retrieves CPE data associated with fetched CVE from NIST NVD. This integration is inactive by default.

    Activate this integration if you want to capture CPE data that includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. This information is stored in an NVD vulnerability entry record related list. This integration is set to run On Demand and is inactive by default. To activate this integration, see Activate the NIST National Vulnerability Database–API (Unmapped CPE).
    Important:
    The “NIST National Vulnerability Database Integration-API (CVE and CPE)” integration is deprecated.

    For integration run statuses see, View the (National Vulnerability Database) NVD integration import run status.