Summary
During importing vulnerability data from Qualys, if data encryption is being enabled on vulnerability related tables then system will probably create duplicate vulnerability items in sn_vul_vulnerable_item.LIST table.
Release
Apply to all releases.
Instructions
Currently ServiceNow does not support data encryption on vulnerability related data fields, such as Encryption Context, etc. This is because the user being used to run the Qualys scheduled jobs does not have an active user session so it has no access to the encryption keys. This will result in creation of duplicate vulnerability item records because system can not access those encrypted fields.
More details can be referred from below docs link.
https://docs.servicenow.com/csh?topicname=c_EncryptionSupport.html&version=latest
"Because contexts are tied to roles and roles are tied to users, you do not have access to keys from non-user sessions. Anything running as a system user or a scheduled job that doesn’t have a user session won’t be able to access the key to encrypt or decrypt data."
Following below steps to check whether any vulnerability related fields are being used for encryption on the instance.
1. Navigate to menu System Security > Field Encryption > Encrypted Field Configurations
2. Search by table name starts from "sn_vul_"
Below is a screenshot showing fields being used for encryption. In this case users need to disable the respective encryption context, remove the sn_vul fields from the encryption configurations and clean tables prior to the next Qualys data import.
Note: Below tables that would need to be cleaned prior to the next import test.
sn_vul_detection
sn_vul_m2m_vul_group_item
sn_vul_vulnerable_item
sn_vul_vulnerability
sn_vul_third_party_entry
sn_vul_entry
sn_vul_nvd_entry
Please refer to KB0820838 for more details regarding how to truncate the related tables.
