Symptoms

Vulnerability Items are getting created with an invalid Configuration Item. It shows blank on the form but you can see a sys_id in the XML

Release

Jakarta Patch 8

Cause

Missing records on cmdb_ci_hardware

Resolution

When you have a Vulnerability Item created, it is looking for the "Installed On" field on the cmdb_sam_sw_install table. Reviewing the Vulnerability Item, it was seen that it was assigned to CVE-2015-3903. With this information, we checked the Vulnerability Softwares table (https://instancename.service-now.com/sn_vul_m2m_entry_software_list.do?sysparm_query=sn_vul_entry.idSTARTSWITHCVE-2015-3903%5Esn_vul_software.display_nameSTARTSWITHPhpmyadmin%20Phpmyadmin%204.0.2), and found the Vulnerable Software was for Phpmyadmin Phpmyadmin 4.0.2. From here, we went to the Software Installations table (https://instancename.service-now.com/cmdb_sam_sw_install_list.do?sysparm_query=display_nameSTARTSWITHPhpmyadmin%20Phpmyadmin%204.0.2) and saw that the "Installed On" field is blank and is pulling in a sys_id of 76a9a04d3790200044e0bfc8bcbe5d01 which matches the null field on the Vulnerability Item. 

We noticed this was not being pulled in because the Hardware was missing from the cmdb_ci_hardware. Exporting from a personal dev instance and importing to an instance solved the issue and we confirmed that we could see the Configuration Item being shown on the Vulnerability Item.