Configuring the Deps.dev, OSV.dev, and PaCE integrations for Software Bill of Materials

  • Release version: Zurich
  • Updated September 9, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuring the Deps.dev, OSV.dev, and PaCE integrations for Software Bill of Materials

    This guide describes how to configure and manage the Deps.dev, OSV.dev, and Policy as Code Engine (PaCE) integrations within the Software Bill of Materials (SBOM) Response module in ServiceNow Zurich release. These integrations help identify vulnerabilities and compliance issues in software components by importing data, running scheduled jobs, and applying policies to component statuses.

    Show full answer Show less

    Deps.dev Integration

    • The Deps.dev Integration is installed and activated by default, running on a weekly schedule to identify stale and abandoned components.
    • Stale components are defined as versions more than two major releases behind and older than two years; abandoned components have no updates for over two years.
    • Thresholds for staleness and abandonment (time in months and version difference) are configurable via system properties (snsbomresp.pkgabandonedthreshold, snsbomresp.pkgstalethreshold, and snsbomresp.pkgstaleversionthreshold).
    • Users with the snvul.appconfigureintegrations role can modify the Deps.dev scheduled job and run it on-demand from the integration record.
    • Imported component data is accessible from the SBOM Workspace Home page, BOM Queue module, and stored in the Package Groups [snsbompkggroup] table.
    • Note: The on-demand Deps.dev code-trigger integration is for internal workflows only and should not be triggered manually.

    OSV.dev Integration - Comprehensive

    • This integration is also installed and activated by default, designed to import vulnerability data comprehensively.
    • Users with the snvul.appconfigureintegrations role can initiate the integration on-demand and configure it from the integration record.
    • Imported vulnerability data appears in the SBOM Workspace Home page, Vulnerability tab, Entities list, and Libraries module, stored in snvulappvulentry and snvulnvdentry tables.
    • The batch size for OSV.dev API calls (default 75 PURLs per call) can be adjusted on the Open Source Vulnerabilities Instance parameter page, though changing this may affect performance.
    • Note: The on-demand OSV.dev code-trigger integration is for internal use only and should not be manually executed.

    Policy as Code Engine (PaCE) Integration

    • From SBOM Response version 4.0, PaCE can mark components identified as stale or abandoned as ‘Non-compliant’ within its interface, accessible from the SBOM Workspace.
    • The Run PaCE policies for SBOM Response scheduled job activates this functionality but is disabled by default and must be enabled manually.
    • This integration helps enforce compliance policies based on component status, streamlining risk management for software components.
    • Additional integration details and policy management are available under general PaCE documentation.

    You can edit some of the parameters for the Deps.dev and OSV.dev integrations. There are also two code trigger versions of these integrations that are used strictly for internal workflows, and you should not initiate these integrations on-demand. Additionally, you can activate a scheduled job to create policies using Policy as Code Engine (PaCE).

    Code trigger integrations for internal workflows

    Starting with v3.2 of SBOM Response, performance enhancements included the addition of two OSV.dev and Deps.dev code-trigger integrations:
    • OSV Integration (on-demand code trigger)
    • Deps.dev Integration (on-demand code trigger)
    These integrations are initiated automatically by internal workflows and are for internal use only. Although you can locate them, you must not initiate these integrations on-demand with Execute Now button from their integration records.

    Configuring the run schedule for the Deps.dev Integration

    The Deps.dev Integration is installed with SBOM Response. The integration is activated (Active check box selected on the integration record) by default and scheduled to run weekly. Note that this is not the on-demand Deps.dev code trigger integration, and you can edit the schedule and initiate the scheduled job on-demand from its integration record. .

    To modify the schedule, navigate to All > Vulnerability Response > Administration > Integrations > Deps.dev Integration. The sn_vul.app_configure_integrations role is required to edit the schedule of this integration.

    This Deps.dev integration is used to identify components that are in Stale and Abandoned states. A stale component's version is more than two major versions behind the latest version and two years behind the latest version. An abandoned component has not been updated for more than two years. The two year and two version thresholds can be edited with system properties. To edit these parameters, navigate to All > System Properties > All Properties and locate the following records:
    • sn_sbom_resp.pkg_abandoned_threshold
    • sn_sbom_resp.pkg_stale_threshold
    • sn_sbom_resp.pkg_stale_version_threshold

    The threshold values for abandoned and stale are in months. The threshold value for version is numerical.

    You can view imported data on the Home page of the workspace and in the BOM Queue module. Imported data is stored in the Package Groups [sn_sbom_pkg_group] table.

    Configuring and initiating the OSV.dev Integration - Comprehensive

    The OSV.dev Integration - Comprehensive integration is installed with SBOM Response. The integration is activated (Active check box selected on the integration record) by default. Note that this is not the on-demand OSV.dev code trigger integration, and you must initiate this integration on-demand from its integration record.

    To configure and initiate this integration, navigate to All > Vulnerability Response > Administration > Integrations > OSV.dev Integration - Comprehensive. The sn_vul.app_configure_integrations role is required.

    You can view imported data on the Home page of the workspace on the Vulnerability tab on records from the entities list and in the Libraries module. Imported data is stored in the Application Vulnerable Entries [sn_vul_app_vul_entry] and the National Vulnerability Database Entries [sn_vul_nvd_entry] tables.

    Note:
    You can configure the OSV.dev's batchSize integration parameter on the Integration Parameters tab on the Open Source Vulnerabilities Instance located at All > Vulnerability Response > Administration > Integrations > Vulnerability Integrations > Open Source Vulnerabilities Instance. The default is 75 Purls per API call.

    You might prefer to leave this value in its default setting. Altering the value might impact performance.

    Activating PaCE

    Starting with version 4.0 of SBOM Response, you can view components that are identified as stale or abandoned as ‘Non-compliant’ in the Policy as Code Engine (PaCE) interface that is available in the SBOM Workspace.

    • Determine if components are stale or abandoned with the Run PaCE policies for SBOM Response scheduled job. This scheduled job is deactivated by default.
    • View components that are identified as stale or abandoned as Non-compliant in the PaCE interface that is available and viewed in the SBOM Workspace.

    See Integrating PaCE with other applications for more information about PaCE and PaCE policies.