Vulnerability calculators and calculator groups

Vulnerability calculators are used to update record values when pre-defined conditions are met. The calculators are grouped based on the criteria used to determine how the records are updated.

Calculators have a set of filters to indicate which vulnerable items they apply to, and template fields containing the values to be set. They may also be written to use scripts for both of these items.

All enabled vulnerability calculators in the Vulnerability Calculator Group run each time a vulnerable item is changed or when the Calculate Business Impact related link in a vulnerable item is used. To avoid performance issues, all calculators should specify which values need to have changed, for them to run. For normal calculators, these values would look something like the following:
Vulnerability calculator filters example
In a scripted calculator, the equivalent condition looks like:
Vulnerability calculator script include example

The Vulnerability Response base system includes two Vulnerability Calculator Groups: Risk Score and Vulnerability Impact. The result is included as a field on the Vulnerable item form.

The vulnerability calculator called Basic Risk Score is contained in the Risk Score calculator group. Its purpose is to calculate the risk score of a vulnerable item. As written, it is based on business criticality and severity of the vulnerable item.

To work properly, this calculator requires the Service Mapping plugin. (Service Mapping is available as a separate subscription and requires activation by ServiceNow personnel.)

You can modify it to calculate a score based on whatever risk factors you want. For example, you may have CI data indicating that it is external-facing, posing a greater risk to your environment than internal-facing. That situation can be used as a factor.

When the computation is complete, the updated criticality is displayed in the Risk Score field of the Vulnerable Item screen.

The vulnerability calculator called Score and Service Based Impact is contained in Vulnerability Impact. Its purpose is to calculate the business criticality of a vulnerable item. It is based on the CVSS of the item and the criticality level of the most impacted business service. For more information on the CVSS, see the NVD website.

From an existing vulnerable item, if you click the Calculate Business Impact related link and Risk Score and Score and Service Based Impact are enabled, you get an on-demand calculation of the business criticality of the vulnerable item.
Note: The Calculate Business Impact related link is only visible when at least one vulnerability calculator is enabled.

Vulnerability calculators can prioritize and categorize vulnerabilities based on any custom criteria you want to use. For example, when the Score and Service Based Impact calculator is enabled, it prioritizes based on the importance of the business services relying on an affected CI. It is useful if the Business Services plugin is installed and Business impact is set to reflect your business priorities.

Calculators can be built to prioritize and rate the impact of Vulnerable Items based on any criteria you like. Whether it is the business impact of the vulnerability, the class of the CI, or the age of the Vulnerable Item. A calculator can be written to reflect any set of priorities.

Note: The Score and Service Based Impact calculator is disabled by default. See Disable the default vulnerability calculator if not used for more information.

How the Score and Service Based Impact calculator works

When a new vulnerable item is created, the Score and Service Based Impact calculator runs the following script:
var ciu = new global.CIUtils();
var services = ciu.servicesAffectedByCI(current.cmdb_ci.toString());
var hasSvc = false;
if (services.length > 0) {
    var svc = new GlideRecord(“cmdb_ci_service”);
    svc.addQuery(“sys_id”, “IN”, services.join(“,”));
    svc.addNotNullQuery(“busines_criticality”); // typo intended

    hasSvc =;
if (!hasSvc) {
    // Always set to lowest if there are no impacted services (or if none with criticality/impact set)
    current.business_criticality = 3; // lowest
} else {
    var svcCritChoices = GlideChoiceList.getChoiceList(“cmdb_ci_service”, “busines_criticality”);
    var svcCritSize = svcCritChoices.getSize();
    var viCritChoices = GlideChoiceList.getChoiceList(“sn_vul_vulnerable_item”, “business_criticality”);
    var viCritSize = viCritChoices.getSize();

    var bc = svc.getValue(“busines_criticality”);
    var bcWeight = 0;
    for (var i = 1; i <= svcCritSize; i++) {
        if (bc.startsWith(i))
            bcWeight = (svcCritSize + 1 - i) * 100 / svcCritSize;    
The script performs the following functions:
  • First, it creates a list of all CIs that are linked to the vulnerable item and any business services that are marked as depending on the CI.
  • It queries and gets results of services that have business criticality (where criticality is not null), and orders them with the most critical ones first.
  • It gets the choice lists for the vulnerable item and business criticality fields.
  • If there are no business services in the list, the criticality is set to the lowest level.
  • If there are business services in the list, the business criticality for all services is calculated.
  • The weight of each vulnerable item is picked up from its CVSS score and is used to compute the new criticality.

When the computation is complete, the updated criticality is displayed in the Business impact field of the Vulnerable Item screen.

To prevent performance issues, when creating a calculator specify exactly when your severity calculator should or should not run. For example, when enabled, the Score and Service Based Impact calculator only runs when both a configuration item and vulnerability are present and if one of these items has changed. If neither has changed, there is no reason to assume that severity has changed. This specification is important if you have a script-based calculator.

If you create a calculator that uses a condition that checks to see if values have changed, when you click the Calculate Business Impact related link these conditions are removed. It assumes that by clicking the link you want to run the calculator even though items have not changed. If your calculator uses an Advanced condition, those conditions are not changed. To write a script that only considers if something changed when an item is updated see the Score and Service Based Impact script code as an example.