Enterprise TruRisk™ Platform Release 3.23 API
December 15, 2025
Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.
 |
Cloud Agent |
Updated API: SBOM Report Download API
| New or Updated | Updated |
| API Endpoint | /qps/rest/1.0/download/ca/downloadcdxsbom/ |
| Method | POST |
| DTD or XSD Changes | NA |
We have updated the response for the SBOM Report Download API to clearly display the asset details for convenient asset identification. The following table highlights the new details added in the API response for different Cloud providers.
| Cloud Provider | New Response Field | Description |
|---|---|---|
| Alibaba | CloudProviderType | This field displays the Cloud Provider Name. For example, Alibaba. |
| InstanceId | Displays a unique identifier assigned to each Elastic Compute Service (ECS) instance in Alibaba Cloud. | |
| AccountId | Displays a unique numeric identifier assigned to your Alibaba Cloud account. | |
| OCI | CloudProviderType | This field displays the Cloud Provider Name. For example, OCI. |
| OciId | Displays a unique identifier assigned to every resource in OCI. | |
| CompartmentId | Displays a unique ID assigned to the Compartment in Oracle Cloud Infrastructure. | |
| Azure | CloudProviderType | This field displays the Cloud Provider Name. For example, Azure. |
| VmId | Displays a unique identifier assigned to a Virtual Machine resource within your Azure subscription. | |
| subscriptionId | Displays a globally unique identifier (GUID) assigned to your Azure subscription. | |
| GCP | CloudProviderType | This field displays the Cloud Provider Name. For example, GCP. |
| InstanceId | Displays a unique numeric identifier assigned to each Compute Engine VM instance. | |
| ProjectNumber | Displays a unique numeric identifier assigned to your project by Google. | |
| AWS EC2 | CloudProviderType | This field displays the Cloud Provider Name. For example, AWS. |
| InstanceId | Displays a unique identifier assigned to each Amazon Elastic Compute Cloud (EC2) instance. | |
| AccountId | Displays a unique AWS account identifier. | |
| Arn | Displays the Amazon Resource Name (ARN). | |
| IBM | CloudProviderType | This field displays the Cloud Provider Name. For example, IBM. |
| VirtualServerId | Displays a unique identifier assigned to a Virtual Server Instance (VSI). |
Also, we have updated the Service Provider and Timestamp fileds in the API response as per the CycloneDx 1.6 Standard. The following table shows the updated Service Provider and Timestamp format.
| Field Name | Updated Field Value Format | Old Field Value Format |
|---|---|---|
| Service Provider | "services": [ { "provider": { "bom-ref": "provider-d0ec648b-7cc0-47da-995d-bd0ab96209fc", "name": "Qualys" }, "name": "QAgent" } ] |
{"provider": "Qualys","name": "QAgent"} |
| Timestamp | "2025-12-15T04:19:14Z" | "2025-12-15T04:19:14.716396469" |
Sample: Download the SBOM ReportSample: Download the SBOM Report
The following API Sample illustrates downloading SBOM report for an IBM Asset.
API Request
curl --location '
<qualys_base_url>/qps/rest/1.0/download/ca/downloadcdxsbom/' \
--header 'Content-Type: application/xml' \
--header 'Authorization: <authentication_token>' \
--header 'Cookie: JSESSIONID=EACF8DCFC60B2028B6F5F19D01AE2D9E' \
--data '
API Request Body
<ServiceRequest>
<data>
<DownloadCDXSbom>
<cdxschemaversion>CYCLONE_DX_1_4</cdxschemaversion>
</DownloadCDXSbom>
</data>
<filters>
<Criteria field="tagName" operator="EQUALS">Cloud Agent</Criteria>
</filters>
</ServiceRequest>
API Response
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:73371505-447d-4b74-b27b-8f45581ca01b",
"version": 1,
"metadata": {
"timestamp": "2025-12-15T11:45:42Z",
"tools": {
"services": [
{
"provider": {
"bom-ref": "provider-d0ec648b-7cc0-47da-995d-bd0ab96209fc",
"name": "Qualys"
},
"name": "QAgent"
}
]
},
"component": {
"bom-ref": "device-143d3ef6-79db-4b36-9f5b-88beb6c7b8e0",
"type": "device",
"name": "rhel.ibmcloud.private",
"properties": [
{
"name": "Qualys:qagent:Version",
"value": "7.1.0.33"
},
{
"name": "Qualys:qagent:AssetId",
"value": "51742752"
},
{
"name": "Qualys:qagent:HostId",
"value": "6597200"
},
{
"name": "Qualys:qagent:CloudProviderType",
"value": "IBM"
},
{
"name": "Qualys:qagent:VirtualServerId",
"value": "148211116"
}
]
}
},
"dependencies": [
{
"ref": "device-143d3ef6-79db-4b36-9f5b-88beb6c7b8e0",
"dependsOn": []
}
]
}
Issues Addressed
The following important and notable issue(s) are fixed in this release.
| Category/Component | Application | Description |
|---|---|---|
| Search Activation Key API | Cloud Agent API | We fixed an issue where the Search Activation Key API was generating a Network Error response due to higher processing time for API requests. Impacted API: /qps/rest/1.0/search/ca/agentactkey |
| Update Tag API | Asset Management API | We fixed an issue where the Update Tag API was creating duplicate tags by implementing the Code changes to ensure unique tag names. Impacted API: /qps/rest/2.0/update/am/tag/ |
| Schedule WAS Scan API | WAS API | We fixed an issue where the Create WAS Scan Schedule API could not be executed in the production environment due to changes in the Qualys scheduling service. Impacted API: /qps/rest/3.0/create/was/wasscanschedule |