Version history for the Vulnerability Response Data Model for SBOM application on the ServiceNow Store.

Important: For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

Version history

Version 6.2.2 - June 2025
Fixed an issue in OSV integration where conflicts arose with existing NVD entries due to CVE IDs in the payload, resulting in broken component-vulnerability links. The integration now handles such cases to prevent duplicate or invalid records. Improvements to deps.dev Integration - Optimized the sorting logic for package version lists and replaced the onComplete script with a Business Rule triggered on version updates, improving performance and accuracy in stale/abandoned package detection. OSV Integration Optimization - Removed unnecessary caching to reduce memory usage and prevent potential out-of-memory issues during large data processing. Business Application Population Enhancement - Now populating business_application on AVIT and app release records only when the associated component has a business application, aligning with customer requirements.
Version 6.1.0 - May 2025
Fixed an issue where AVI counts on components were not updating after AVIT creation via SBOM AVI rules.
Version 6.0.1 - February 2025
  • New:
    • Improvements to the Software Bill of Materials Workspace permit you to delete multiple BOM entity records and their related components from the Home (landing) page with bulk edit.
    • Any Application Vulnerable Items (AVIT)s that are associated with the BOM entities you delete automatically transition to 'Closed'.
Version 5.0.5 - December 2024
Minor fixes for this release.
Version 5.0.3 - November 2024
  • New:
    • Improvements to the SBOM Response application to help you determine your over-all license compliance and risk exposure to the open-source and vendor-supplied software components you use in your application development:
      • View all the licenses that are used in your organization in the License administration module.
      • Classify existing licenses as: "Permitted", "Restricted", "Banned", or "Unclassified", and create new licenses.
      • For unassigned or missing licenses, you can manually assign licenses to components used by your applications.
Version 4.0.5 - October 2024
  • New:
    • 'Closed' AVITs will not transition to 'Open' if AVITs have the substates: 'Mitigation Control in Place', 'Not Affected', or 'False Positive'.
    • The sn_sbom_resp.reopen_avits_if_detected system property for this feature is activated by default.
    • Set the value of the sn_sbom_resp.reopen_avits_if_detected system property to 'false' if you do not want 'Closed' AVITs to reopen automatically.
Version 4.0.3 - August 2024
New: View components that are identified as stale or abandoned as Non-compliant' in the Policy as Code Engine (PaCE) interface that is available in the SBOM Workspace.
Version 3.3.0 - June 2024
New: Data Model changes to accommodate the Vulnerability Intelligence integration.
Version 3.2.3 - May 2024
  • New:
    • Upload SBOM files for the CycloneDX and SPDX standards.
    • XML and JSON formats are supported for CycloneDX for versions up to and including v1.4.
    • JSON format is supported for SPDX for versions up to and including v2.3.
    • Performance enhancements in the SBOM Workspace for the BOM Entities and Components pages. You might experience faster load times for the Home and Components modules in the SBOM Workspace.
Version 3.1.3 - February 2024
  • New:
    • Updated Overview tab for the application vulnerable item (AVIT) record enables you to view the following data:
      • Details.
      • Associated vulnerability.
      • SBOM component.
      • Discovered application.
    • Added the Fixed versions related list on the AVIT record.
  • Changed:
    • Enhancements to integration processing for OSV.dev and Deps.dev.
    • Condition builder on the AVIT creation rules form that enables you to add rule conditions for applications, vulnerabilities, business application, and components.
  • Removed: Deactivated remediation task rules for SBOM AVITs. You can activate this feature for SBOM AVITs with a system property.
Version 3.0.3 - November 2023
  • New:
    • Supports the Deps.dev and OSV.dev integrations that are included with the SBOM Response application that you can run on-demand.
      • OSV.dev provides vulnerability intelligence information for a given version of a package or library.
      • Deps.dev provides a version list for a given package or library and package intelligence for Stale and Abondoned components.
    • Supports the third-party Snyk Vulnerability Insights integration that can provide you with information for how to fix components with vulnerabilities. This integration is not included with SBOM Response but is available in the ServiceNow Store.
    • Uploaded data extracted from these vulnerability intelligence integrations is dispalyed on the SBOM Response workspace dashboard and in the list and form views of the components.
      • View components that are 'Stale' and 'Abandoned'.
      • View the current and latest versions of the BOM Components.
      • View Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) data for components broken down by severity.
Version 2.0.6 - September 2023
  • New:
    • The data model is updated so it supports the Vulnerability Intelligence use case.
    • Discovered application and SBOM component are two new fields displayed on the AVI form.
    • Mark as false positive and Request exception are supported on AVIs in the SBOM Workspace.
  • Changed:
    • Fewer fields are supported in the condition builder for AVI creation rules in the SBOM Workspace.
Version 2.0.5 - August 2023
Initial release: SBOM Response provides you with visibility into the risks with using open-source components in your organization. You can respond to identified risks with the workflow and automation capabilities of the NOW Platform.