Identify applications in Application Vulnerability Response automatically

When data is imported from a third-party integration, Application Vulnerability Response automatically uses application data to search for matches in the Configuration Management Database (CMDB). It does this using CI Lookup Rules. These rules identify applications for the application vulnerable item (AVI) record to aid in remediation.

As applications are imported, a lookup is performed on the Scanned Application [sn_vul_app_scanned _application] table using source_app_id and app_name to find matches to applications from prior imports. When an application ID match is found, its values are used in the Application and App release fields in the application vulnerable item record.

If a match is not found, or the application ID field is empty, the rules use the other application information to attempt to correctly identify the application. If a match is still not found, a placeholder scanned application record is created with only Application name and Application ID fields.

The Source Application Id and Application Name lookup rules are shipped with the Veracode Vulnerability Integration, by default.

Note: Default CI lookup rules for Application Vulnerability Response are available only for the Veracode Vulnerability Integration.
When attempting a match, the lookup rules are evaluated by lowest Order value first. They stop when a rule returns a single CI as a match.
Note: If a rule is created in such a way that it returns more than one CI, only the first match is used.

To make it easier to find matching issues, when a match is found, the CI lookup rule used to find it is added to the CI matching rule field for Scanned Applications. Click the Update Personalized List gear gear icon icon at the top of the Scanned Application list view to add it to the view.

Note: Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.
CI lookup rules can be domain separated and are source-specific. If supported, each source could have multiple deployments. For example, the Veracode Vulnerability Integration, can have multiple deployments of the Veracode Vulnerability Integration. Each deployment has its own set of CI Lookup Rules.
Note: CI lookup rules are shared by all deployments of the vulnerability integration. If a rule is deleted or modified, the deletion or changes affect all deployments of the vulnerability integration.

Importing vulnerability data can be taxing on an instance and performance issues with resources can occur if rules are not carefully constructed. The logic used to iterate through and perform matching within the CMDB can result in lengthy processing times. To avoid any potential degradation of resources or performance complications, test any custom-written CI Lookup Rules or modifications to pre-defined CI Lookup Rules. See Prevent duplicate or orphaned records after running Application Vulnerability Response CI lookup rules for more information on preventing duplicate orphan records, deleting data, and cleaning up data.