Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
Alternative to hardcoded Sys ID's that can be flagged as a security issue - Support and Troubleshooting
  • >
  • Knowledge Base
  • >
  • Support and Troubleshooting (Knowledge Base)
  • >
  • Alternative to hardcoded Sys ID's that can be flagged as a security issue
KB0785129

Alternative to hardcoded Sys ID's that can be flagged as a security issue


7927 Views Last updated : Sep 4, 2023 public Copy Permalink English (Original)
  • English (Original)
  • Japanese
KB Summary by Now Assist

Issue

ServiceNow occasionally performs health scans on user instances. One practice that will be flagged as a security issue is when hardcoded Sys IDs from objects in the instance are used within scripts.

A workaround to this issue is to create system properties that contain the Sys IDs and then retrieve them from when needed.

Release

All

Resolution

Note that in the following script, the "encodedquery" string contains the sys_id's for a manufacturer, location and company.  This code would be flagged during a health scan as a security issue.  

var ciName = new GlideRecord('cmdb_ci');
var encodedquery = 'sys_class_name=cmdb_ci_computer^manufacturer=b7e9e843c0a80169009a5a485bb2a2b5^location=f90735e70a0a0b9100de208fbc63907d^company=31bea3d53790200044e0bfc8bcbe5dec';

ciName.addEncodedQuery(encodedquery);
ciName.query();

while (ciName.next()) {
gs.print('cmdb_ci.name ' + ciName.name);
}

This issue can be addressed by creating a system property record for each of these Sys IDs and retrieving these values with gs.getProperty().  In this example, the system properties, "acme_corp", "loc_santa_ana" and "acme_ne" were created with the following values:

acme_corp = b7e9e843c0a80169009a5a485bb2a2b5
location = f90735e70a0a0b9100de208fbc63907d
company = 31bea3d53790200044e0bfc8bcbe5dec

 

The script then was modified to retrieve these values and then incorporated into the encoded query string.

var acme_corp_SysID = gs.getProperty("acme_corp");
var location_SysID = gs.getProperty("loc_santa_ana");
var company_SysID = gs.getProperty("acme_ne");

var ciName = new GlideRecord('cmdb_ci');
var encodedquery = 'sys_class_name=cmdb_ci_computer^manufacturer=' + acme_corp_SysID.toString() +'^location=' + location_SysID.toString() + '^company=' + company_SysID.toString();

ciName.addEncodedQuery(encodedquery);
ciName.query();

while (ciName.next()) {
gs.print('cmdb_ci.name ' + ciName.name);
}

 

This information can also be found in an answered question by Chuck Tomasi in the Community:

https://community.servicenow.com/community?id=community_question&sys_id=0ed187a9db98dbc01dcaf3231f961934&view_source=searchResult

This does have the ServiceNow suggested method of resolving the issue of retrieving items from the sys_properties table using the getProperty method.


The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.