Release 3.20.1 API
February 06, 2025
Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.
What's New?
 |
Cloud Agent |
Updated SwCA Component Report Download API: Download SwCA Component Report for Multiple Assets
| New or Updated API | Updated |
| API Endpoint | /qps/rest/1.0/download/ca/downloadcdxsbom/ |
| Method | POST |
| DTD or XSD Changes | Yes |
With this release, we have added support for downloading Software Composition Analysis (SwCA) Scan Report for multiple assets as per Cyclone Dx standard in JSON format.
We are providing Criteria filter to specify the assets for which you want to download the SwCA scan report. You can specify the assets using different parameters such as tagName, id, activationKey, and so on.
Input ParametersInput Parameters
| Input Parameter | Mandatory/Optional | Data Type | Description |
|---|---|---|---|
| cdxschemaversion |
Mandatory | String | Use this parameter to specify the report version you want to download. Acceptable values: CYCLONE_DX_1_4, CYCLONE_DX_1_6 |
| tagName | Optional | String | Use this parameter to specify the assets using the asset tags associated with them. |
| id | Optional | Integer | Use this parameter to specify the assets using asset IDs. You can enter single or multiple asset IDs. |
| activationKey | Optional | String | Use this parameter to specify the assets using activation key. |
Sample: Download SwCA Scan Report for Multiple Assets as per Cyclone Dx StandardSample: Download SwCA Scan Report for Multiple Assets as per Cyclone Dx Standard
The following sample illustrates downloading SwCA scan report for multiple assets in JSON format as per Cyclone Dx standard.
API Request
curl --location '
<qualys_base_url>/qps/rest/1.0/download/ca/downloadcdxsbom/' \
--header 'Content-Type: application/xml' \
--header 'Authorization: <authentication_token>' \
--header 'Cookie: JSESSIONID=EACF8DCFC60B2028B6F5F19D01AE2D9E' \
--data '
API Request Body
<ServiceRequest>
<data>
<DownloadCDXSbom>
<cdxschemaversion>CYCLONE_DX_1_4</cdxschemaversion>
</DownloadCDXSbom>
</data>
<filters>
<Criteria field="tagName" operator="EQUALS">Cloud Agent</Criteria>
</filters>
</ServiceRequest>
API Response
200 OK.
Click the Send and Download on the API response page to download the SwCA component report in JSON format as per the Cyclone Dx standard.
Updated ParametersUpdated Parameters
With this release, we are deprecating support for the following parameter(s) used in the SwCA Scan Report Download API.
| Parameter Change | Change Description |
|---|---|
| assetId | We have removed the support for the assetId parameter that was used for specifying the assets for which you wanted to download the SwCA Component Report.Now you can use the Criteria filter with the id parameter to specify the asset IDs.
|
Updated XSD for SwCA Component Report Download APIUpdated XSD for SwCA Component Report Download API
The following is the updated XSD for the SwCA Component Report Download API (cyclonedxschemaversion.xsd).
We have removed the <assetId> tag from the XSD as we no longer support the assetId parameter for the SwCA Component Report Download API.
cyclonedxschemaversion.xsd
<?xml version="1.0" encoding="UTF-8"?>
<schemaxmlns="http://www.w3.org/2001/XMLSchema" targetNamespace="http://ca.oxm.api.portal.qualys.com/v1"
elementFormDefault="qualified"
xmlns:QG="http://ca.oxm.api.portal.qualys.com/v1"
xmlns:jaxb="http://java.sun.com/xml/ns/jaxb"
xmlns:xjc="http://java.sun.com/xml/ns/jaxb/xjc"
jaxb:extensionBindingPrefixes="xjc"
jaxb:version="2.1"
xmlns:qcommon="http://oxm.api.portal.qualys.com/common">
<import namespace="http://oxm.api.portal.qualys.com/common"
schemaLocation="http://oxm.api.portal.qualys.com/common/qualys_common.xsd"/>
<include schemaLocation="cyclonedxschemaversion.xsd"/>
<complexType name="DownloadCDXSbom">
<sequence>
<element name="cdxschemaversion" type="QG:CycloneDXSchemaVersion" minOccurs="0" maxOccurs="1"/>
</sequence>
</complexType>
</schema>
 |
Web Application Scanning |
Updated Search Findings API: Limit Previous Records for Findings
| New or Updated API | Updated |
| API Endpoint | /qps/rest/3.0/search/was/finding/ |
| Method | POST |
| DTD or XSD Changes | Yes |
With this release, we are introducing a parameter — limitHistories, to limit the maximum number of previous records associated with a finding that can be returned in the Search Findings API response. Using this parameter, you can reduce the processing time required to generate an API response.
Input ParameterInput Parameter
Use the following input parameter(s) to limit the maximum number of previous records.
| Input Parameter | Mandatory/Optional | Data Type | Description |
|---|---|---|---|
| limitHistories | Optional | Integer | Specify the number of previous records associated with a finding that the API should return in response. For example, if you provide 10 as a parameter value then 10 previous records associated with a finding are returned in API response. Default value is 0. By default, the API would not return any previous records associated with a finding. |
Sample: Limit Previous Records for Findings in API ResponseSample: Limit Previous Records for Findings in API Response
The following sample illustrates limiting the previous records that would be returned in the Search Findings API response, using limitHistories parameter.
API Request
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "
<qualys_base_url>/qps/rest/3.0/search/was/finding/" < file.xml
The file.xml contains the request POST data.
API Request Body
<ServiceRequest>
<preferences>
<limitResults>10</limitResults>
<verbose>true</verbose>
<custom>
<Preference name="limitHistories">2</Preference>
</custom>
</preferences>
<filters>
<Criteria field="id" operator="IN">149269</Criteria>
</filters>
</ServiceRequest>
API Response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="<qualys_base_url>/qps/xsd/3.0/was/finding.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<hasMoreRecords>false</hasMoreRecords>
<data>
<Finding>
<id>149269</id>
<uniqueId>1a2b3456-8c9d-123e-4567-f89g12h345a6</uniqueId>
<qid>150603</qid>
<detectionScore>55</detectionScore>
<name>
<![CDATA[U.S. Social Security Number Pattern Identified In HTML]]>
</name>
<type>SENSITIVE_CONTENT</type>
<potential>true</potential>
<findingType>QUALYS</findingType>
<cwe>
<count>1</count>
<list>
<long>201</long>
</list>
</cwe>
<owasp>
<count>1</count>
<list>
<OWASP>
<name>
<![CDATA[Cryptographic Failures]]>
</name>
<url>
<![CDATA[https://owasp.org/Top10/A02_2021-Cryptographic_Failures/]]>
</url>
<code>2</code>
</OWASP>
</list>
</owasp>
<wasc>
<count>1</count>
<list>
<WASC>
<name>
<![CDATA[INFORMATION LEAKAGE]]>
</name>
<url>
<![CDATA[http://projects.webappsec.org/w/page/12345678/WASC]]>
</url>
<code>13</code>
</WASC>
</list>
</wasc>
<resultList>
<count>1</count>
<list>
<Result>
<authentication>false</authentication>
<accessPath>
<count>3</count>
<list>
<Url>
<![CDATA[https://12.34.56.789/]]>
</Url>
<Url>
<![CDATA[https://12.34.56.789/boq/parseAction.php]]>
</Url>
<Url>
<![CDATA[https://12.34.56.789/boq/protected/]]>
</Url>
</list>
</accessPath>
<ajax>false</ajax>
<payloads>
<count>1</count>
<list>
<PayloadInstance>
<request>
<method>
<![CDATA[GET]]>
</method>
<link>
<![CDATA[https://12.34.56.789/boq/protected/Employee_List.html]]>
</link>
<headers>
<![CDATA[header_value]]>
</headers>
</request>
<response>
<![CDATA[133-96-xxxx]]>
</response>
</PayloadInstance>
</list>
</payloads>
</Result>
</list>
</resultList>
<severity>3</severity>
<url>
<![CDATA[https://12.34.56.789/boq/protected/Employee_List.html]]>
</url>
<status>ACTIVE</status>
<firstDetectedDate>2023-08-15T12:39:32Z</firstDetectedDate>
<lastDetectedDate>2023-08-20T20:56:00Z</lastDetectedDate>
<lastTestedDate>2023-08-20T20:56:00Z</lastTestedDate>
<timesDetected>2</timesDetected>
<webApp>
<id>456789321</id>
<name>
<![CDATA[bank of Qualys]]>
</name>
<url>
<![CDATA[https://12.34.56.789]]>
</url>
<tags>
<count>4</count>
<list>
<Tag>
<id>423456789</id>
<name>
<![CDATA[bank tag dynamic]]>
</name>
</Tag>
<Tag>
<id>323456789</id>
<name>
<![CDATA[perf-test-namecontains-10]]>
</name>
</Tag>
<Tag>
<id>223456789</id>
<name>
<![CDATA[perf-test-namecontains-1]]>
</name>
</Tag>
<Tag>
<id>123456789</id>
<name>
<![CDATA[CheckWebappReportlimit]]>
</name>
</Tag>
</list>
</tags>
</webApp>
<isIgnored>false</isIgnored>
<cvssV3>
<base>7.5</base>
<temporal>6.7</temporal>
<attackVector>Network</attackVector>
</cvssV3>
<history>
<set>
<WebAppFindingHistory>
<scanData>
<id>2345678</id>
<reference>was/1234567891234.1234567.1</reference>
<launchedDate>2024-10-22T08:47:10Z</launchedDate>
</scanData>
</WebAppFindingHistory>
<WebAppFindingHistory>
<scanData>
<id>1234567</id>
<reference>was/2234567891234.1234567.1</reference>
<launchedDate>2024-10-20T08:47:38Z</launchedDate>
</scanData>
</WebAppFindingHistory>
</set>
</history>
<updatedDate>2023-12-04T22:43:52Z</updatedDate>
</Finding>
</data>
</ServiceResponse>
Updated XSD for Search Findings APIUpdated XSD for Search Findings API
The following XSD highlights the changes made to the Search Findings API XSD (finding.xsd).
finding.xsd
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema
xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified">
<!-- REQUEST -->
<xs:element name="ServiceRequest">
<xs:complexType>
<xs:all>
<xs:element name="filters" type="ServiceRequestFilters" minOccurs="0"/>
<xs:element name="preferences" type="ServiceRequestPreferences" minOccurs="0"/>
<xs:element name="data" type="ServiceRequestData" minOccurs="0"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:complexType name="ServiceRequestFilters">
<xs:sequence>
<xs:element name="Criteria" type="Criteria" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ServiceRequestCustomPreferences">
<xs:sequence>
<xs:element name="Preference" type="Preference" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="Criteria">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="field" type="xs:string"/>
<xs:attribute name="operator">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="CONTAINS"/>
<xs:enumeration value="IN"/>
<xs:enumeration value="EQUALS"/>
<xs:enumeration value="NOT EQUALS"/>
<xs:enumeration value="GREATER"/>
<xs:enumeration value="LESSER"/>
<xs:enumeration value="NONE"/>
<xs:enumeration value="IS EMPTY"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="Preference">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="name" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="ServiceRequestPreferences">
<xs:all> <xs:element name="startFromId" type="xs:long" minOccurs="0"/>
<xs:element name="startFromOffset" type="xs:int" minOccurs="0"/>
<xs:element name="limitResults" type="xs:int" minOccurs="0"/>
<xs:element name="verbose" type="xs:boolean" minOccurs="0"/>
<xs:element name="custom" type="ServiceRequestCustomPreferences" minOccurs="0"/>
</xs:all>
</xs:complexType>
<xs:complexType name="ServiceRequestData">
<xs:sequence>
<xs:element name="Finding" type="Finding" minOccurs="0"/>
</xs:sequence> </xs:complexType>
<!-- RESPONSE -->
<xs:element name="ServiceResponse">
<xs:complexType>
<xs:sequence>
<xs:element name="responseCode" type="ResponseCode"/>
<xs:element name="responseErrorDetails" type="ResponseErrorObject" minOccurs="0"/>
<xs:element name="count" type="xs:int" minOccurs="0"/>
<xs:element name="hasMoreRecords" type="xs:boolean" minOccurs="0"/>
<xs:element name="lastId" type="xs:long" minOccurs="0"/>
<xs:element name="data" type="ServiceResponseData" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:simpleType name="ResponseCode">
<xs:restriction base="xs:string">
<xs:enumeration value="CANNOT_BE_NULL"/>
<xs:enumeration value="INVALID_XML"/>
<xs:enumeration value="INVALID_CREDENTIALS"/>
<xs:enumeration value="INVALID_API_VERSION"/>
<xs:enumeration value="INVALID_PARAM"/>
<xs:enumeration value="INVALID_URL"/>
<xs:enumeration value="INVALID_REQUEST"/>
<xs:enumeration value="NOT_FOUND"/>
<xs:enumeration value="OTHER_ERROR"/>
<xs:enumeration value="OPERATION_NOT_SUPPORTED"/>
<xs:enumeration value="EVALUATION_EXPIRED"/>
<xs:enumeration value="JMS_SERVER_DOWN"/>
<xs:enumeration value="RMI_SERVER_DOWN"/>
<xs:enumeration value="SUCCESS"/>
<xs:enumeration value="STILL_PROCESSING"/>
<xs:enumeration value="UNAUTHORIZED"/>
<xs:enumeration value="UNAUTHORIZED_DESTINATION_APPS"/>
<xs:enumeration value="UNIDENTIFIED_PRODUCER"/>
<xs:enumeration value="UNKNOWN_OBJECT"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="ResponseErrorObject">
<xs:sequence>
<xs:element name="errorMessage" type="xs:string"/>
<xs:element name="errorResolution" type="xs:string" minOccurs="0"/>
<xs:element name="internalErrorCodeId" type="xs:int" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ServiceResponseData">
<xs:sequence>
<xs:element name="Finding" type="Finding" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- DATA -->
<xs:complexType name="Finding">
<xs:all>
<xs:element name="id" type="xs:long" minOccurs="0"/>
<xs:element name="uniqueId" type="uuid" minOccurs="0"/>
<xs:element name="qid" type="xs:long" minOccurs="0"/>
<xs:element name="detectionScore" type="xs:int" minOccurs="0"/>
<xs:element name="name" type="Cdata" minOccurs="0"/>
<xs:element name="type" minOccurs="0">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="VULNERABILITY"/>
<xs:enumeration value="SENSITIVE_CONTENT"/>
<xs:enumeration value="INFORMATION_GATHERED"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="potential" minOccurs="0" type="xs:boolean"/>
<xs:element name="findingType" minOccurs="0">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="QUALYS"/>
<xs:enumeration value="BURP"/>
<xs:enumeration value="BUGCROWD"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="group" minOccurs="0">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="XSS"/>
<xs:enumeration value="SQL"/>
<xs:enumeration value="INFO"/>
<xs:enumeration value="PATH"/>
<xs:enumeration value="CC"/>
<xs:enumeration value="SSN-US"/>
<xs:enumeration value="CUSTOM"/>
<xs:enumeration value="IG-DIAG"/>
<xs:enumeration value="IG-WEAK"/>
<xs:enumeration value="COMPLIANCE"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="cwe" type="CWEList" minOccurs="0"/>
<xs:element name="owasp" type="OWASPList" minOccurs="0"/>
<xs:element name="wasc" type="WASCList" minOccurs="0"/>
<xs:element name="param" type="Cdata" minOccurs="0" />
<xs:element name="function" type="Cdata" minOccurs="0" />
<xs:element name="content" type="Cdata" minOccurs="0" />
<xs:element name="resultList" type="ResultList" minOccurs="0" />
<xs:element name="severity" type="xs:string" minOccurs="0"/>
<xs:element name="originalSeverity" type="xs:string" minOccurs="0"/>
<xs:element name="url" type="Url" minOccurs="0"/>
<xs:element name="status" minOccurs="0">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="NEW"/>
<xs:enumeration value="ACTIVE"/>
<xs:enumeration value="REOPENED"/>
<xs:enumeration value="FIXED"/>
<xs:enumeration value="PROTECTED"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="firstDetectedDate" type="xs:dateTime" minOccurs="0"/>
<xs:element name="lastDetectedDate" type="xs:dateTime" minOccurs="0"/>
<xs:element name="lastTestedDate" type="xs:dateTime" minOccurs="0"/>
<xs:element name="fixedDate" type="xs:dateTime" minOccurs="0"/>
<xs:element name="timesDetected" type="xs:long" minOccurs="0"/>
<xs:element name="webApp" type="WebApp" minOccurs="0"/>
<xs:element name="patch" type="xs:long" minOccurs="0"/>
<xs:element name="isIgnored" type="xs:boolean" minOccurs="0"/>
<!-- Following element will be available only if finding is ignored and this will also be used for 'ignore' operation for providing reason -->
<xs:element name="ignoredReason" minOccurs="0">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="FALSE_POSITIVE"/>
<xs:enumeration value="RISK_ACCEPTED"/>
<xs:enumeration value="NOT_APPLICABLE"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<!-- Following element will be available only if finding is ignored -->
<xs:element name="ignoredBy" type="User" minOccurs="0"/>
<!-- Following element will be available only if finding is ignored -->
<xs:element name="ignoredDate" type="xs:dateTime" minOccurs="0"/>
<!-- Following element will be available only if finding is ignored and this will also be used for 'ignore' operation for providing comment -->
<xs:element name="ignoredComment" type="Cdata" minOccurs="0"/>
<!-- Following element will be available only if finding is ignored -->
<xs:element name="reactivateIn" type="xs:int" minOccurs="0"/>
<!-- Following element will be available only if finding is ignored -->
<xs:element name="reactivateDate" type="xs:date" minOccurs="0"/>
<xs:element name="externalRef" type="Cdata" minOccurs="0"/>
<!-- Following element will be available only if severity level is edited and this will also be used for 'edit sevrity' operation for providing comment -->
<xs:element name="severityComment" type="Cdata" minOccurs="0"/>
<!-- Following element will be available only if severity level is edited -->
<xs:element name="editedSeverityUser" type="User" minOccurs="0"/>
<!-- Following element will be available only if severity level is edited -->
<xs:element name="editedSeverityDate" type="xs:dateTime" minOccurs="0"/>
<!-- Following element will be available only if finding is retested -->
<!-- Following element will be available only if finding is retested -->
<xs:element name="retest" type="Retest" minOccurs="0"/>
<!-- Following data will populate only for SSL QIDs-->
<xs:element name="sslData" type="SSLData" minOccurs="0"/>
<xs:element name="cvssV3" type="CvssV3" minOccurs="0"/>
<xs:element name="history" type="HistoryList" minOccurs="0"/>
<xs:element name="updatedDate" type="xs:dateTime" minOccurs="0"/>
</xs:all>
</xs:complexType>
<xs:complexType name="CvssV3">
<xs:all>
<xs:element name="base" type="xs:float"/>
<xs:element name="temporal" type="xs:float"/>
<xs:element name="attackVector" type="xs:string"/>
</xs:all>
</xs:complexType>
<xs:complexType name="WebApp">
<xs:all>
<xs:element name="id" type="xs:long" minOccurs="0"/>
<xs:element name="name" type="Cdata" minOccurs="0"/>
<xs:element name="url" type="Url" minOccurs="0"/>
<xs:element name="tags" type="TagList" minOccurs="0"/>
</xs:all>
</xs:complexType>
<xs:complexType name="TagList">
<xs:all>
<xs:element name="count" type="xs:int" minOccurs="0"/>
<xs:element name="list" minOccurs="0" >
<xs:complexType>
<xs:sequence>
<xs:element name="Tag" type="Tag" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="set" minOccurs="0" >
<xs:complexType>
<xs:sequence>
<xs:element name="Tag" type="Tag" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
<xs:complexType name="Tag">
<xs:all>
<xs:element name="id" type="xs:long"/>
<xs:element name="name" type="Cdata" minOccurs="0"/>
</xs:all>
</xs:complexType>
<xs:complexType name="Cdata">
<xs:simpleContent> <xs:extension base="xs:string"/>
</xs:simpleContent>
</xs:complexType>
<xs:simpleType name="uuid">
<xs:restriction base="xs:string"> <xs:pattern value="[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}" />
</xs:restriction>
</xs:simpleType>
<xs:complexType name="UrlList">
<xs:all>
<xs:element name="count" type="xs:int" minOccurs="0"/>
<xs:element name="list" minOccurs="0" >
<xs:complexType>
<xs:sequence>
<xs:element name="Url" type="Url" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
<xs:complexType name="Url">
<xs:simpleContent>
<xs:extension base="Cdata"/>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="ResultList">
<xs:all>
<xs:element name="count" type="xs:int" minOccurs="0"/>
<xs:element name="list" minOccurs="0" > <xs:complexType>
<xs:sequence> <xs:element name="Result" type="Result" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
<xs:complexType name="Result">
<xs:all>
<xs:element name="authentication" type="xs:boolean" minOccurs="0" />
<xs:element name="formLocation" type="Url" minOccurs="0" />
<xs:element name="accessPath" type="UrlList" minOccurs="0" />
<xs:element name="ajax" type="xs:boolean" minOccurs="0" />
<xs:element name="ajaxRequestId" type="xs:string" minOccurs="0" />
<xs:element name="payloads" type="PayloadList" minOccurs="0"/>
<!-- Following data will populate only for finding type 'IG' -->
<xs:element name="data" type="Cdata" minOccurs="0"/>
</xs:all>
</xs:complexType>
<xs:complexType name="PayloadList">
<xs:all>
<xs:element name="count" type="xs:int" minOccurs="0"/>
<xs:element name="list" minOccurs="0" >
<xs:complexType>
<xs:sequence>
<xs:element name="PayloadInstance" type="PayloadInstance" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
<xs:complexType name="PayloadInstance">
<xs:all>
<xs:element name="payload" type="Cdata" minOccurs="0" />
<xs:element name="request" type="PayLoadRequest" minOccurs="0" />
<xs:element name="response" type="Cdata" minOccurs="0" />
<xs:element name="payloadResult" type="PayloadResult" minOccurs="0" />
</xs:all>
</xs:complexType>
<xs:complexType name="PayloadResult">
<xs:all>
<xs:element name="offset" type="xs:long" minOccurs="0" />
<xs:element name="length" type="xs:long" minOccurs="0" />
</xs:all>
</xs:complexType>
<xs:complexType name="PayLoadRequest">
<xs:all>
<xs:element name="method" type="Cdata" minOccurs="0" />
<xs:element name="link" type="Url" minOccurs="0" />
<xs:element name="headers" type="Cdata" minOccurs="0" />
<xs:element name="body" type="Cdata" minOccurs="0" />
</xs:all>
</xs:complexType>
<xs:complexType name="OWASPList">
<xs:all>
<xs:element name="count" type="xs:int" minOccurs="0"/>
<xs:element name="list" minOccurs="0" >
<xs:complexType>
<xs:sequence>
<xs:element name="OWASP" type="OWASP" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
<xs:complexType name="WebAppFindingHistory">
<xs:sequence>
<xs:element name="scan" type="WasScan"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="WasScan">
<xs:sequence>
<xs:element name="id" type="xs:long"/>
<xs:element name="reference" type="xs:string"/>
<xs:element name="launchedDate" type="xs:dateTime" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="HistoryList">
<xs:all>
<xs:element name="count" type="xs:int" minOccurs="0"/>
<xs:element name="set" minOccurs="0" > <xs:complexType> <xs:sequence>
<xs:element name="WebAppFindingHistory" type="WebAppFindingHistory" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
<xs:complexType name="OWASP">
<xs:all>
<xs:element name="name" type="Cdata" minOccurs="0" />
<xs:element name="url" type="Url" minOccurs="0" />
<xs:element name="code" type="xs:long" minOccurs="0"/>
</xs:all>
</xs:complexType>
<xs:complexType name="WASCList">
<xs:all>
<xs:element name="count" type="xs:int" minOccurs="0"/>
<xs:element name="list" minOccurs="0" >
<xs:complexType>
<xs:sequence>
<xs:element name="WASC" type="WASC" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
<xs:complexType name="WASC">
<xs:all>
<xs:element name="name" type="Cdata" minOccurs="0" />
<xs:element name="url" type="Url" minOccurs="0" />
<xs:element name="code" type="xs:long" minOccurs="0"/>
</xs:all>
</xs:complexType>
<xs:complexType name="CWEList">
<xs:all>
<xs:element name="count" type="xs:int" minOccurs="0"/>
<xs:element name="list" minOccurs="0" >
<xs:complexType>
<xs:sequence>
<xs:element name="long" type="xs:long" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
<xs:complexType name="User">
<xs:all>
<xs:element name="id" type="xs:long"/>
<xs:element name="username" type="xs:string" minOccurs="0"/>
<xs:element name="firstName" type="Cdata" minOccurs="0"/>
<xs:element name="lastName" type="Cdata" minOccurs="0"/>
</xs:all>
</xs:complexType>
<xs:simpleType name="RetestStatus" >
<xs:restriction base="xs:string">
<xs:enumeration value="NO_RETEST"/>
<xs:enumeration value="UNDER_RETEST"/>
<xs:enumeration value="RETESTED"/>
<xs:enumeration value="CANCELING"/>
<xs:enumeration value="CANCELED"/>
</xs:restriction> </xs:simpleType>
<xs:complexType name="Retest">
<xs:all>
<xs:element name="retestStatus" type="RetestStatus" minOccurs="0"/>
<xs:element name="retestedDate" type="xs:dateTime" minOccurs="0"/>
<xs:element name="retestedUser" type="User" minOccurs="0"/>
<!-- Status and reason only available is retestStatus is RETESTED -->
<xs:element name="findingStatus" type="xs:string" minOccurs="0"/>
<xs:element name="reason" type="xs:string" minOccurs="0"/>
</xs:all>
</xs:complexType>
<xs:complexType name="SSLData">
<xs:all>
<xs:element name="flags" type="xs:string" minOccurs="0" />
<xs:element name="protocol" type="xs:string" minOccurs="0" />
<xs:element name="virtualhost" type="xs:string" minOccurs="0" />
<xs:element name="ip" type="xs:string" minOccurs="0" />
<xs:element name="port" type="xs:string" minOccurs="0" />
<xs:element name="result" type="Cdata" minOccurs="0" />
<xs:element name="sslDataInfoList" type="SSLDataInfoList" minOccurs="0" />
</xs:all>
</xs:complexType>
<xs:complexType name="SSLDataInfoList">
<xs:all>
<xs:element name="count" type="xs:int" minOccurs="0"/>
<xs:element name="list" minOccurs="0" >
<xs:complexType>
<xs:sequence>
<xs:element name="SSLDataInfo" type="SSLDataInfo" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
<xs:complexType name="SSLDataInfo">
<xs:all>
<xs:element name="certificateFingerprint" type="xs:string" minOccurs="0" />
<xs:element name="sslDataCipherList" type="SSLDataCipherList" minOccurs="0" />
<xs:element name="sslDataKexList" type="SSLDataKexList" minOccurs="0" />
<xs:element name="sslDataPropList" type="SSLDataPropList" minOccurs="0" />
</xs:all>
</xs:complexType>
<xs:complexType name="SSLDataCipherList">
<xs:all>
<xs:element name="count" type="xs:int" minOccurs="0"/>
<xs:element name="list" minOccurs="0" > <xs:complexType> <xs:sequence>
<xs:element name="SSLDataCipher" type="SSLDataCipher" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
<xs:complexType name="SSLDataKexList">
<xs:all>
<xs:element name="count" type="xs:int" minOccurs="0"/>
<xs:element name="list" minOccurs="0" >
<xs:complexType>
<xs:sequence>
<xs:element name="SSLDataKex" type="SSLDataKex" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
<xs:complexType name="SSLDataPropList">
<xs:all>
<xs:element name="count" type="xs:int" minOccurs="0"/>
<xs:element name="list" minOccurs="0" >
<xs:complexType>
<xs:sequence>
<xs:element name="SSLDataProp" type="SSLDataProp" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
<xs:complexType name="SSLDataCipher">
<xs:all>
<xs:element name="protocol" type="xs:string" minOccurs="0" />
<xs:element name="name" type="xs:string" minOccurs="0" />
<xs:element name="keyExchange" type="xs:string" minOccurs="0" />
<xs:element name="auth" type="xs:string" minOccurs="0" />
<xs:element name="mac" type="xs:string" minOccurs="0" />
<xs:element name="encryption" type="xs:string" minOccurs="0" />
<xs:element name="grade" type="xs:string" minOccurs="0" />
</xs:all>
</xs:complexType>
<xs:complexType name="SSLDataKex">
<xs:all>
<xs:element name="protocol" type="xs:string" minOccurs="0" />
<xs:element name="kex" type="xs:string" minOccurs="0" />
<xs:element name="group" type="xs:string" minOccurs="0" />
<xs:element name="keysize" type="xs:string" minOccurs="0" />
<xs:element name="fwdsec" type="xs:string" minOccurs="0" />
<xs:element name="classical" type="xs:string" minOccurs="0" />
<xs:element name="quantum" type="xs:string" minOccurs="0" />
</xs:all>
</xs:complexType>
<xs:complexType name="SSLDataProp">
<xs:all>
<xs:element name="name" type="xs:string" minOccurs="0" />
<xs:element name="value" type="xs:string" minOccurs="0" />
<xs:element name="protocol" type="xs:string" minOccurs="0" />
</xs:all>
</xs:complexType>
</xs:schema>