Sonatype for ServiceNow
This guide walks through the functionality of the Sonatype for ServiceNow integration for Lifecycle, including where the data can be found within ServiceNow’s Application Vulnerability Response.
Prerequisites
An active license for Sonatype Lifecycle (SaaS, Private Cloud, or Self-Hosted) version 173 or later is required to utilize the integration
The target ServiceNow environment requires the Application Vulnerability Response (AVR) version 20.0.2 or newer to be installed (now bundled as part of “Vulnerability Response”)
Note
The integration is certified for Utah and later versions of ServiceNow, as well as Application Vulnerability Response version 20.0.2 and newer. While previous versions of the Application Vulnerability Response modules may work, we recommend updating to the latest version for optimal integration.
Users should be familiar with the basic administration and usage of the ServiceNow platform.
For help with the ServiceNow platform, consult the ServiceNow documentation or raise a ticket with the ServiceNow support team.
It is recommended to utilize ServiceNow’s NVD integration to populate the CVE and CWE tables. This provides contextual data on any vulnerable items created by the integration.
Installation
Obtaining API Access
Before configuring the integration we recommend generating an API User Code and Passcode from within the Lifecycle server. Look for the option Manage User Token in the user menu in the upper right corner within Lifecycle, and then choose Generate User Token on the display popup.
See the documentation on User Tokens for more information.
Installing the Integration
Verify that the pre-requisite Vulnerability Response application is installed in ServiceNow.
Browse to
System Applications > All Available Applications > All.Search for
Vulnerability Response.
Navigate to the ServiceNow Store
Search for
Sonatype Application Vulnerability Response IntegrationSelect
Getin the upper rightFollow the on-screen prompts
After the application is installed, you will be able to find it in the lefthand application navigator by searching for Sonatype.
Configuration
Configuring the Integration
Open
Security Operations > Integration ConfigurationsLocate the
Sonatype Application VR Integrationtile and click onConfigureto perform the initial setup
On the configuration pop-up, enter the “Base URL” for your Sonatype Lifecycle instance, as well as the “User Code” and “Passcode” for API access that was provisioned in the Obtaining API Access section.
Make sure the "Base URL" includes the API prefix '/api/v2' in the following format:
https://<base url>/api/v2
Setting the Integration Frequency
All of the components within the Sonatype integration can be scheduled as desired in your environment as well as triggered manually. To review the standard configuration, open the ServiceNow application navigator menu and locate Sonatype App VR Integration > Admin > Integrations.
Here you will find four integrations:
Sonatype Organizations Integration
Imports the Organizations from Sonatype into the Sonatype Organization table (x_sonat_avr_organization) within ServiceNow.
Sonatype Applications Integration
Imports Applications from Sonatype into the Discovered Applications table within Application VR in ServiceNow.
This will also utilize CI Lookup rules to match the incoming applications against the Product Models or Business Applications in the CMDB. (Use App VR’s “sn_vul.use_product_model” property to configure which table is referenced.)
Sonatype Scan Summary Integration
Imports application SCA reports from Sonatype, including statistics about the contents of the report rolled up into a “Scan Summary” that will be related to the Discovered Application.
Sonatype Application Vulnerable Item Integration
Imports application SCA reports from Sonatype, breaking them down into individual software components/packages and the licenses and vulnerabilities associated with them.
 |
By default, the integrations are chained together such that they will automatically run when the previous run completes:
Sonatype Organizations Integration -> Sonatype Applications Integration -> Sonatype Scan Summary Integration -> Sonatype Application Vulnerable Item Integration.
It is recommended to maintain this sequence as it ensures dependent data from earlier integrations is available for those that follow.
Adjust the timing of the integration by opening the Organizations integration and then setting the Run field to the desired frequency. It is recommended to set the frequency of imports according to the frequency of reports in your Sonatype environment. This has been set to Daily by default.
Execute the Integration Manually (optional)
It is also possible to execute an integration manually. Open any given integration and select the “Execute Now” button. A new row will appear in the “Integration Runs” related list on the integration, which will be dynamically updated with the status as the integration runs.
CI Lookup Rules
Basic Configuration Item (CI) Lookup Rules are provided to match the CMDB based on the name of the application as well as the less likely (but more reliable scenario) where the Application IDs from Sonatype are mapped to CIs and can be used for matching.
These rules can be found under Security Operations > CMDB > Lookup Rules.
 |
These rules will help to identify the attributes coming from Sonatype and how they can be used in other more complicated rules that may match your organization’s CMDB structure and Discovery tools.
 |
Security Roles
The integration includes two roles to help govern access to the base integration features. Importantly, these roles don’t grant specific privileges within Vulnerability Response, so these roles are only meant to supplement users’ existing App VR roles.
Role | Description |
|---|---|
x_sonat_avr.user | Gives access to the Sonatype integration menu and modules for viewing App Vulnerable Items created by the integration as well as reports against them. This role may be unnecessary in production for users already maintaining their AVIT queues through the standard App VR menus |
x_sonat_avr. admin | This role provides access to all the Sonatype menu items, including links to App VITs, Discovered Applications, and Scanned Applications created by the integration as well as the ability to configure the integration, review logs, and contact Sonatype support. |
Reports
Several reports are included to give statistics and trends around the information imported from the Sonatype integration. These reports are also available on a dashboard included in the Sonatype application menu.
Title | Type | Description |
|---|---|---|
AVIs by Severity | Pie | Pie chart showing Application Vulnerable Items (AVIs) by Severity |
Top Vulnerabilities | Horizontal bar | Bar chart showing the top 15 Vulnerabilities that are leading to the most AVIs |
AVIs Trend Per Week by Severities | Trend | Trend Report showing AVIs created per week and stacked by the severity |
Exceptions by Assignment Group | Bar | Bar chart showing the number of exceptions created and approved per each assignment group |
Exceptions Pending Approval | Bar | Bar chart showing the number of exceptions created that are not approved yet |
Top Applications Impacted | Horizontal bar | Bar chart showing the top 15 applications that are leading to the most AVIs |
Closure Reason | Bar | Bar chart showing the top reasons for the closure of AVIs |
Active AVIs | Single Score | Single Score report showing the count of Active AVIs |
AVI Trend Per Week by Risk Rating | Trend | Trend Report showing AVIs created per week and stacked by the Risk Rating |
Closed AVIs | Single Score | Single Score report showing the count of Closed AVIs |
AVIs Closed by Week | Column | Trend Report showing AVIs closed per week and stacked by the severity |
AVIs by Risk Rating | Pie | Pie chart showing Application Vulnerable Items (AVIs) by Risk Rating |
Deferred AVI by Reason | Bar | A Bar chart showing different deferral reasons for AVIs |
Integration Architecture
This diagram describes the integration functionality at a high level:
 |