Skip to main content

Sonatype for ServiceNow

This guide walks through the functionality of the Sonatype for ServiceNow integration for Lifecycle, including where the data can be found within ServiceNow’s Application Vulnerability Response.


  • An active license for Sonatype Lifecycle (SaaS, Private Cloud, or Self-Hosted) version 173 or later is required to utilize the integration

  • The target ServiceNow environment requires the Application Vulnerability Response (AVR) version 20.0.2 or newer to be installed (now bundled as part of “Vulnerability Response”)


The integration is certified for Utah and later versions of ServiceNow, as well as Application Vulnerability Response version 20.0.2 and newer. While previous versions of the Application Vulnerability Response modules may work, we recommend updating to the latest version for optimal integration.

Users should be familiar with the basic administration and usage of the ServiceNow platform.

For help with the ServiceNow platform, consult the ServiceNow documentation or raise a ticket with the ServiceNow support team.

It is recommended to utilize ServiceNow’s NVD integration to populate the CVE and CWE tables. This provides contextual data on any vulnerable items created by the integration.


Obtaining API Access

Before configuring the integration we recommend generating an API User Code and Passcode from within the Lifecycle server. Look for the option Manage User Token in the user menu in the upper right corner within Lifecycle, and then choose Generate User Token on the display popup.

See the documentation on User Tokens for more information.

Installing the Integration

  1. Verify that the pre-requisite Vulnerability Response application is installed in ServiceNow.

    1. Browse to System Applications > All Available Applications > All.

    2. Search for Vulnerability Response.

  2. Navigate to the ServiceNow Store

    1. Search for Sonatype Application Vulnerability Response Integration

    2. Select Get in the upper right

    3. Follow the on-screen prompts

After the application is installed, you will be able to find it in the lefthand application navigator by searching for Sonatype.


Configuring the Integration

  1. Open Security Operations > Integration Configurations

  2. Locate the Sonatype Application VR Integration tile and click on Configure to perform the initial setup

  3. On the configuration pop-up, enter the “Base URL” for your Sonatype Lifecycle instance, as well as the “User Code” and “Passcode” for API access that was provisioned in the Obtaining API Access section.

    Make sure the "Base URL" includes the API prefix '/api/v2' in the following format: https://<base url>/api/v2


Setting the Integration Frequency

All of the components within the Sonatype integration can be scheduled as desired in your environment as well as triggered manually. To review the standard configuration, open the ServiceNow application navigator menu and locate Sonatype App VR Integration > Admin > Integrations.

Here you will find four integrations:

  1. Sonatype Organizations Integration

    Imports the Organizations from Sonatype into the Sonatype Organization table (x_sonat_avr_organization) within ServiceNow.

  2. Sonatype Applications Integration

    • Imports Applications from Sonatype into the Discovered Applications table within Application VR in ServiceNow.

    • This will also utilize CI Lookup rules to match the incoming applications against the Product Models or Business Applications in the CMDB. (Use App VR’s “sn_vul.use_product_model” property to configure which table is referenced.)

  3. Sonatype Scan Summary Integration

    Imports application SCA reports from Sonatype, including statistics about the contents of the report rolled up into a “Scan Summary” that will be related to the Discovered Application.

  4. Sonatype Application Vulnerable Item Integration

    Imports application SCA reports from Sonatype, breaking them down into individual software components/packages and the licenses and vulnerabilities associated with them.


By default, the integrations are chained together such that they will automatically run when the previous run completes:

Sonatype Organizations Integration -> Sonatype Applications Integration -> Sonatype Scan Summary Integration -> Sonatype Application Vulnerable Item Integration.

It is recommended to maintain this sequence as it ensures dependent data from earlier integrations is available for those that follow.

Adjust the timing of the integration by opening the Organizations integration and then setting the Run field to the desired frequency. It is recommended to set the frequency of imports according to the frequency of reports in your Sonatype environment. This has been set to Daily by default.

Execute the Integration Manually (optional)

It is also possible to execute an integration manually. Open any given integration and select the “Execute Now” button. A new row will appear in the “Integration Runs” related list on the integration, which will be dynamically updated with the status as the integration runs.

CI Lookup Rules

Basic Configuration Item (CI) Lookup Rules are provided to match the CMDB based on the name of the application as well as the less likely (but more reliable scenario) where the Application IDs from Sonatype are mapped to CIs and can be used for matching.

These rules can be found under Security Operations > CMDB > Lookup Rules.


These rules will help to identify the attributes coming from Sonatype and how they can be used in other more complicated rules that may match your organization’s CMDB structure and Discovery tools.


Security Roles

The integration includes two roles to help govern access to the base integration features. Importantly, these roles don’t grant specific privileges within Vulnerability Response, so these roles are only meant to supplement users’ existing App VR roles.




Gives access to the Sonatype integration menu and modules for viewing App Vulnerable Items created by the integration as well as reports against them. This role may be unnecessary in production for users already maintaining their AVIT queues through the standard App VR menus

x_sonat_avr. admin

This role provides access to all the Sonatype menu items, including links to App VITs, Discovered Applications, and Scanned Applications created by the integration as well as the ability to configure the integration, review logs, and contact Sonatype support.


Several reports are included to give statistics and trends around the information imported from the Sonatype integration. These reports are also available on a dashboard included in the Sonatype application menu.




AVIs by Severity 


Pie chart showing Application Vulnerable Items (AVIs) by Severity 

Top Vulnerabilities 

Horizontal bar 

Bar chart showing the top 15 Vulnerabilities that are leading to the most AVIs 

AVIs Trend Per Week by Severities 


Trend Report showing AVIs created per week and stacked by the severity 

Exceptions by Assignment Group 


Bar chart showing the number of exceptions created and approved per each assignment group 

Exceptions Pending Approval 


Bar chart showing the number of exceptions created that are not approved yet 

Top Applications Impacted 

Horizontal bar 

Bar chart showing the top 15 applications that are leading to the most AVIs 

Closure Reason 


Bar chart showing the top reasons for the closure of AVIs 

Active AVIs 

Single Score 

Single Score report showing the count of Active AVIs 

AVI Trend Per Week by Risk Rating 


Trend Report showing AVIs created per week and stacked by the Risk Rating 

Closed AVIs 

Single Score 

 Single Score report showing the count of Closed AVIs 

AVIs Closed by Week 


Trend Report showing AVIs closed per week and stacked by the severity 

AVIs by Risk Rating 


 Pie chart showing Application Vulnerable Items (AVIs) by Risk Rating 

Deferred AVI by Reason 


A Bar chart showing different deferral reasons for AVIs 

Integration Architecture

This diagram describes the integration functionality at a high level: