Home Orlando Release Notes Orlando release notes Learn about Orlando Release notes for upgrading from New York Features and changes by product Security Operations release notes Vulnerability Response release notes Vulnerability Response upgrade information

Vulnerability Response upgrade information

ServiceNow® Vulnerability Response application upgrade information for the Orlando release.

If you're upgrading from a previous version of Vulnerability Response, the initial Orlando version is available immediately in your instance. All updates to Vulnerability Response are only available in the ServiceNow Store.

Note: This process applies only to applications downloaded to production instances. If you're downloading applications to sub-production or development instances, it's not necessary to get entitlements. Proceed to Activate a ServiceNow Store application.

Versions 9.0 (platform upgrade only), 10.0, 10.3, 11.0, 12.0, 12.1, 12.2, and 13.0 of Vulnerability Response are compatible with Orlando.
For new features for the Vulnerability Response application for the Vulnerability Response in the Orlando release, see Vulnerability Response release notes.
For new features and upgrade information for third-party integrations from the ServiceNow Store with Vulnerability Response for the Orlando release, see Vulnerability Response integrations release notes.
For more information about released versions of the Vulnerability Response application, compatibility with Orlando, and schema changes, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes.

Important:

Vulnerability Response is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

Table 1. Upgrades to version 13.0 of Vulnerability Response
Version	Upgrade information
13.0	The following features were fixed or enhanced: Domain separation support for the Reapply Calculator feature. The App-Sec-Manager role has permission to cancel an Application Vulnerability Integration run. Performance enhancements for updates to the vulnerability entry rollup of the Vulnerability Rollup calculator. Domain separation support for the exception rule in Exception Management. The Reapply remediation target rule job works as expected when the BETWEEN operator is used in the condition builder. False positive Until date validation works as expected. The Cancel Exception rule works as expected. Domain separation support for the auto-close VI feature. Case-sensitivity in the condition builder By default (Case sensitive check box disabled), the search text you enter is not case-sensitive in the condition builder. Enable or disable case-sensitivity for the rule-matching text you enter in the following forms and records: assignment rules, group rules, remediation target rules, CI lookup rules, and vulnerability calculators. You might find that entering filter text that is not case-sensitive negatively impacts your performance. Deprecated: The NVD integrations in Vulnerability Response prior to v13.0 This feature has been deprecated in favor of the Vulnerability Response integration with NVD available in the ServiceNow Store. See the New REST-based NVD Integrations [KB0870291] article for more information.

Table 2. Upgrades to version 12.0 through 12.2 of Vulnerability Response
Version	Upgrade information
12.2	Fixes for performance issues related to concurrency processing of remediation target rules and other minor defect fixes.
12.1	With v11.1 of Policy and Compliance Management, you can use new policy exception capabilities in GRC: Policy and Compliance Management from within v12.1 of the Vulnerability Response application. To use demo data with this feature, upgrade Policy and Compliance Management before upgrading Vulnerability Response. If you've already upgraded Vulnerability Response before Policy and Compliance Management, and you want to use this feature, perform the upgrade procedures again in the correct order. For more information, see Allow policy exception requests from other applications. Use the Identification and Reconciliation Engine (IRE) to create new CIs when an existing CI cannot be matched with a host imported from a vulnerability assessment product. Note the following changes: The CMDB CI Class Models application dependency is installed automatically with Vulnerability Response for the new CMDB classes. This dependency may take some time to install. As part of the CMDB CI Class Models application, two new classes, Unclassed Hardware and Incomplete IP Identified Device, replace the Unmatched CI class when unmatched CIs are created. Incomplete IP Identified Device is used only when the IP address in the host information is received from the scanner. Unclassed Hardware is used when at least one additional attribute, for example, DNS, netBIOS, or MAC_ADDRESS, included with the IP address in the host information received from the scanner. Dependent CI (Network Adaptor and IP Address) is created when both the IP address and MAC address are in the payload received from the scanner.
12.0	With v11.0 of Policy and Compliance Management, you can use new policy exception capabilities in GRC: Policy and Compliance Management from within v12.0 of the Vulnerability Response application. To use demo data with this feature, upgrade Policy and Compliance Management before upgrading Vulnerability Response. If you've already upgraded Vulnerability Response before Policy and Compliance Management, and you want to use this feature, perform the upgrade procedures again in the correct order. For more information, see Allow policy exception requests from other applications.

Table 3. Upgrades to version 11.0 of Vulnerability Response
Version	Upgrade information
11.0	With v10.1 of Policy and Compliance Management, you can use new policy exception capabilities in GRC: Policy and Compliance Management from within v11.0 of the Vulnerability Response application. To use demo data with this feature, upgrade Policy and Compliance Management before upgrading Vulnerability Response. If you've already upgraded Vulnerability Response before Policy and Compliance Management, and you want to use this feature, perform the upgrade procedures again in the correct order. For more information, see Allow policy exception requests from other applications.

Table 4. Upgrades to versions 10.0 through 10.3 of Vulnerability Response
Version	Upgrade information
10.0 and 10.3	The process described in KB0819117 to create change requests and use change management with ITSM legacy Change Management plugins is now fully supported.
10.3	Starting with version 10.1 of GRC: Policy and Compliance Management, you can use new policy exception capabilities in GRC: Policy and Compliance Management from within v10.3 of the Vulnerability Response application. To use demo data with this feature, upgrade Policy and Compliance Management before upgrading Vulnerability Response. If you've already upgraded Vulnerability Response before Policy and Compliance Management, and you want to use this feature, perform the upgrade procedures again in the correct order. For more information, see Allow policy exception requests from other applications.
10.0	The Vulnerability Group Rules (VGR) form views have been revised. If you've customized your rules form, the new fields are not available and your customized version may no longer work to create new rules. Customization prevents some updates from taking place. Existing customized rules still work, however, they're displayed on the new form. To use the new form fields after upgrade, see KB0815967 for instructions on enabling the new form.
10.0	If you perform an upgrade or install version 10.0 and the VI age is not displayed in the Vulnerable Items list view and in the Age and Age closed fields on active VI (VIT) records in Days/Hours/Minutes (9 Days, 18 Hours, 29 Minutes) format, the Age column is not current in your instance. For more information about how to resolve this issue after an upgrade, see KB0749231.

Table 5. Upgrades to version 9.0 Vulnerability Response and earlier
Version	Upgrade information
9.0	Ignore some configuration item (CI) classes by setting the ignoreCIClass [sn_sec_cmn.ignoreCIClass] system property. While this property is present after upgrade, it doesn't work automatically. For upgrade instructions on how to enable this functionality, see KB0788209.
9.0	The process described in KB0819117 to create change requests and use change management with ITSM legacy Change Management plugins is now fully supported.
8.0 (London)	The VR Setup Assistant module is overwritten with an incorrect URL. When upgrading from Madrid v7.0 to v8.0 Vulnerability Response on the Paris platform, a duplicate Setup Assistant module appears. See KB0749805 to remove the redundant module and fix the incorrect URL issue.
Prior to Madrid	If you've installed a version of Vulnerability Response prior to Madrid, you don't need to install the Vulnerability Response Dependencies (com.snc.vul_dep) plugin prior to installing the Vulnerability Response update. If you upgraded from a version of Vulnerability Response before Madrid, your original Overview page becomes the Overview (Legacy) module in the application navigator. If you created a customized home page overview, the overview is overwritten by the new reports dashboard. To access your customized home page, Create a new module for your customized home page and add it to the Vulnerability Response application.
Kingston and earlier	During upgrade the Vulnerable Item table is reparented to improve performance. If you have a large number of vulnerable items, the upgrade process may take additional time. No special handling is needed, however, stop any Vulnerability Response activities prior to the upgrade and record your vulnerable item count. Once complete, verify that your pre- and post-upgrade vulnerable item counts match. For more information on the impact of reparenting, see the Upgrade impact of reparenting change in the Kingston release [KB0680550] article in the ServiceNow® HI Knowledge Base. For information on the upgrade impact to existing instances, see the Vulnerability Response: FAQ for Kingston Upgrade [KB0680543] article in the HI Knowledge Base. This information does not apply if you upgrade from Kingston to this release. For Kingston release information, see the Kingston Vulnerability Response release notes. If you're upgrading from Kingston, existing CI Identifier Rules are disabled by default, but not removed. These rules appear in Security Operations > CMDB > CI Lookup Rules. To reenable, open a rule and enter values for the Source and Source field fields, select the Active check box, and click Submit. Unmatched configuration items (CIs) imported from Kingston or earlier versions of Qualys and Rapid7 are transferred and listed in the Discovered Items module during upgrade. However, these unmatched CIs cannot be reclassified using the Reclassify button. Unmatched CIs must be reclassified manually. To manually reclassify the CIs, see Manually reclassify unmatched configuration items from Discovered Items.

Previous topic

Next topic

Release version

Vulnerability Response upgrade information

ServiceNow® Vulnerability Response application upgrade information for the Orlando release.

Versions 9.0 (platform upgrade only), 10.0, 10.3, 11.0, 12.0, 12.1, 12.2, and 13.0 of Vulnerability Response are compatible with Orlando.
For new features for the Vulnerability Response application for the Vulnerability Response in the Orlando release, see Vulnerability Response release notes.
For new features and upgrade information for third-party integrations from the ServiceNow Store with Vulnerability Response for the Orlando release, see Vulnerability Response integrations release notes.
For more information about released versions of the Vulnerability Response application, compatibility with Orlando, and schema changes, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes.

Important:

Vulnerability Response is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

Table 1. Upgrades to version 13.0 of Vulnerability Response
Version	Upgrade information
13.0	The following features were fixed or enhanced: Domain separation support for the Reapply Calculator feature. The App-Sec-Manager role has permission to cancel an Application Vulnerability Integration run. Performance enhancements for updates to the vulnerability entry rollup of the Vulnerability Rollup calculator. Domain separation support for the exception rule in Exception Management. The Reapply remediation target rule job works as expected when the BETWEEN operator is used in the condition builder. False positive Until date validation works as expected. The Cancel Exception rule works as expected. Domain separation support for the auto-close VI feature. Case-sensitivity in the condition builder By default (Case sensitive check box disabled), the search text you enter is not case-sensitive in the condition builder. Enable or disable case-sensitivity for the rule-matching text you enter in the following forms and records: assignment rules, group rules, remediation target rules, CI lookup rules, and vulnerability calculators. You might find that entering filter text that is not case-sensitive negatively impacts your performance. Deprecated: The NVD integrations in Vulnerability Response prior to v13.0 This feature has been deprecated in favor of the Vulnerability Response integration with NVD available in the ServiceNow Store. See the New REST-based NVD Integrations [KB0870291] article for more information.

Table 2. Upgrades to version 12.0 through 12.2 of Vulnerability Response
Version	Upgrade information
12.2	Fixes for performance issues related to concurrency processing of remediation target rules and other minor defect fixes.
12.1	With v11.1 of Policy and Compliance Management, you can use new policy exception capabilities in GRC: Policy and Compliance Management from within v12.1 of the Vulnerability Response application. To use demo data with this feature, upgrade Policy and Compliance Management before upgrading Vulnerability Response. If you've already upgraded Vulnerability Response before Policy and Compliance Management, and you want to use this feature, perform the upgrade procedures again in the correct order. For more information, see Allow policy exception requests from other applications. Use the Identification and Reconciliation Engine (IRE) to create new CIs when an existing CI cannot be matched with a host imported from a vulnerability assessment product. Note the following changes: The CMDB CI Class Models application dependency is installed automatically with Vulnerability Response for the new CMDB classes. This dependency may take some time to install. As part of the CMDB CI Class Models application, two new classes, Unclassed Hardware and Incomplete IP Identified Device, replace the Unmatched CI class when unmatched CIs are created. Incomplete IP Identified Device is used only when the IP address in the host information is received from the scanner. Unclassed Hardware is used when at least one additional attribute, for example, DNS, netBIOS, or MAC_ADDRESS, included with the IP address in the host information received from the scanner. Dependent CI (Network Adaptor and IP Address) is created when both the IP address and MAC address are in the payload received from the scanner.
12.0	With v11.0 of Policy and Compliance Management, you can use new policy exception capabilities in GRC: Policy and Compliance Management from within v12.0 of the Vulnerability Response application. To use demo data with this feature, upgrade Policy and Compliance Management before upgrading Vulnerability Response. If you've already upgraded Vulnerability Response before Policy and Compliance Management, and you want to use this feature, perform the upgrade procedures again in the correct order. For more information, see Allow policy exception requests from other applications.

Table 3. Upgrades to version 11.0 of Vulnerability Response
Version	Upgrade information
11.0	With v10.1 of Policy and Compliance Management, you can use new policy exception capabilities in GRC: Policy and Compliance Management from within v11.0 of the Vulnerability Response application. To use demo data with this feature, upgrade Policy and Compliance Management before upgrading Vulnerability Response. If you've already upgraded Vulnerability Response before Policy and Compliance Management, and you want to use this feature, perform the upgrade procedures again in the correct order. For more information, see Allow policy exception requests from other applications.

Table 4. Upgrades to versions 10.0 through 10.3 of Vulnerability Response
Version	Upgrade information
10.0 and 10.3	The process described in KB0819117 to create change requests and use change management with ITSM legacy Change Management plugins is now fully supported.
10.3	Starting with version 10.1 of GRC: Policy and Compliance Management, you can use new policy exception capabilities in GRC: Policy and Compliance Management from within v10.3 of the Vulnerability Response application. To use demo data with this feature, upgrade Policy and Compliance Management before upgrading Vulnerability Response. If you've already upgraded Vulnerability Response before Policy and Compliance Management, and you want to use this feature, perform the upgrade procedures again in the correct order. For more information, see Allow policy exception requests from other applications.
10.0	The Vulnerability Group Rules (VGR) form views have been revised. If you've customized your rules form, the new fields are not available and your customized version may no longer work to create new rules. Customization prevents some updates from taking place. Existing customized rules still work, however, they're displayed on the new form. To use the new form fields after upgrade, see KB0815967 for instructions on enabling the new form.
10.0	If you perform an upgrade or install version 10.0 and the VI age is not displayed in the Vulnerable Items list view and in the Age and Age closed fields on active VI (VIT) records in Days/Hours/Minutes (9 Days, 18 Hours, 29 Minutes) format, the Age column is not current in your instance. For more information about how to resolve this issue after an upgrade, see KB0749231.

Table 5. Upgrades to version 9.0 Vulnerability Response and earlier
Version	Upgrade information
9.0	Ignore some configuration item (CI) classes by setting the ignoreCIClass [sn_sec_cmn.ignoreCIClass] system property. While this property is present after upgrade, it doesn't work automatically. For upgrade instructions on how to enable this functionality, see KB0788209.
9.0	The process described in KB0819117 to create change requests and use change management with ITSM legacy Change Management plugins is now fully supported.
8.0 (London)	The VR Setup Assistant module is overwritten with an incorrect URL. When upgrading from Madrid v7.0 to v8.0 Vulnerability Response on the Paris platform, a duplicate Setup Assistant module appears. See KB0749805 to remove the redundant module and fix the incorrect URL issue.
Prior to Madrid	If you've installed a version of Vulnerability Response prior to Madrid, you don't need to install the Vulnerability Response Dependencies (com.snc.vul_dep) plugin prior to installing the Vulnerability Response update. If you upgraded from a version of Vulnerability Response before Madrid, your original Overview page becomes the Overview (Legacy) module in the application navigator. If you created a customized home page overview, the overview is overwritten by the new reports dashboard. To access your customized home page, Create a new module for your customized home page and add it to the Vulnerability Response application.
Kingston and earlier	During upgrade the Vulnerable Item table is reparented to improve performance. If you have a large number of vulnerable items, the upgrade process may take additional time. No special handling is needed, however, stop any Vulnerability Response activities prior to the upgrade and record your vulnerable item count. Once complete, verify that your pre- and post-upgrade vulnerable item counts match. For more information on the impact of reparenting, see the Upgrade impact of reparenting change in the Kingston release [KB0680550] article in the ServiceNow® HI Knowledge Base. For information on the upgrade impact to existing instances, see the Vulnerability Response: FAQ for Kingston Upgrade [KB0680543] article in the HI Knowledge Base. This information does not apply if you upgrade from Kingston to this release. For Kingston release information, see the Kingston Vulnerability Response release notes. If you're upgrading from Kingston, existing CI Identifier Rules are disabled by default, but not removed. These rules appear in Security Operations > CMDB > CI Lookup Rules. To reenable, open a rule and enter values for the Source and Source field fields, select the Active check box, and click Submit. Unmatched configuration items (CIs) imported from Kingston or earlier versions of Qualys and Rapid7 are transferred and listed in the Discovered Items module during upgrade. However, these unmatched CIs cannot be reclassified using the Reclassify button. Unmatched CIs must be reclassified manually. To manually reclassify the CIs, see Manually reclassify unmatched configuration items from Discovered Items.

How search works:

Topics are ranked in search results by how closely they match your search terms

Vulnerability Response upgrade information

Vulnerability Response upgrade information

On this page

Vulnerability Response upgrade information

Vulnerability Response upgrade information

Log in to personalize your search results and subscribe to topics