/api/2.0/fo/ignore_vuln/index.php
The ignore_vuln/index.php function is used to ignore or restore (un-ignore) vulnerabilities on certain hosts. The ignore status applies to a vulnerability/host pair. Vulnerabilities can be set to ignore on hosts so that they do not appear in automatic scan reports, host information reports, asset search reports as well as other views in the Qualys user interface.
Both Vulnerabilities and Potential Vulnerabilities may be set to the ignore status on hosts in the user’s account. Information Gathered issues cannot be set to the ignore status. Note that the following QIDs cannot be set to ignore: 38175 (Unauthorized Service Detected), 82043 (Unauthorized Open Port Detected), 38228 (Required Service Not Detected) and 82051 (Required Port Not Detected).
When making an ignore_vuln/index.php request, you must specify QIDs (up to 10) and target hosts. Host selection parameters allow you to specify hosts by IP address, asset group, asset tag, DNS host name or NetBIOS host name.
Target Hosts
A vulnerability can be set to ignore/restore only on hosts with scan results. If a host was previously scanned and then purged, the scan results are removed and no longer available. In this case an ignore vulnerability request will have no effect until a re-scan populates the host with fresh scan results.
The ignore/restore request applies to the target hosts at the time of the request. For example, if you specify an ignore action on asset groups, the request applies to the IP addresses in the asset groups at the time of the request. Subsequently, if an asset group is updated with new IP addresses, the new IPs are not set to the ignore status.
Ignored Status and Tickets
The ignore/restore actions have an effect on remediation tickets in the user account. When you set the ignore status for vulnerabilities on hosts, the service closes associated remediation tickets with the ticket state/status of Closed/Ignored. If no ticket exists, a new one will be created and closed automatically for tracking purposes as Closed/Ignored. When you restore vulnerabilities on hosts, the service automatically reopens the associated tickets and sets them to Open/Reopened.
The ticket_list.php function allows you to list tickets in the user account and this information could be useful for taking actions using ignore_vuln/index.php. For example, you could use ticket_list.php to find tickets on certain QIDs in the Closed/Ignored state and then use the information returned to make ignore_vuln/index.php requests to restore vulnerabilities on certain hosts.
User permissions for the ignore_vuln/index.php function are described below:
User Role |
Permissions |
---|---|
Manager |
Ignore/Restore vulnerabilities and potential vulnerabilities on all hosts in subscription. |
Unit Manager |
Ignore/Restore vulnerabilities and potential vulnerabilities on hosts in user’s business unit. |
Scanner |
Ignore/Restore vulnerabilities and potential vulnerabilities on hosts in user’s account, when a certain remediation policy option is enabled. * |
Reader |
Ignore/Restore vulnerabilities and potential vulnerabilities on hosts in user’s account, when a certain remediation policy option is enabled.* |
* Scanners and Readers have permission to ignore/restore vulnerabilities when the option “Allow Scanners and Readers to mark tickets as Closed/Ignored” is enabled in the QualysGuard user interface. A Manager can edit this setting for the subscription. See the QualysGuard online help for information.
The following table shows the input parameters for ignoring/restoring vulnerabilities:
Parameter |
Required/Optional |
Data Type |
Description |
---|---|---|---|
action={ignore|restore} |
Required |
Boolean |
A flag indicating an ignore or restore request. When unspecified, the action is set to “ignore”. Specify “restore” to restore (un-ignore) vulnerabilities. |
qids={qid,qid,...} |
Required |
Integer |
Specifies the QIDs (Qualys IDs) to ignore/restore. A maximum of 10 QIDs may be specified. Multiple QIDs are comma separated. |
comments={value} |
Required |
String |
Specify comments for the action. The comments may include a maximum of 255 characters. Comments are stored with ignored vulnerabilities, and are visible to users in the Qualys user interface. |
reopen_ignored_days={value} |
Optional |
Integer |
Set to reopen ignored vulnerabilities that are detected after a number of days (1-730). If the ignored vulnerability is reopened by the service, the corresponding ticket’s state/status is changed from Closed/Ignored to Open/Reopened. |
reopen_ignored_date={date} |
Optional |
Integer |
Set to reopen ignored vulnerabilities that are detected after a specified date. If the ignored vulnerability is reopened by the service, the corresponding ticket’s state/status is changed from Closed/Ignored to Open/Reopened. |
asset_groups={ag1,ag2,...} |
Optional |
Integer |
Selects hosts by asset group. The hosts included in the one or more asset groups provided are selected. A maximum of 5 asset group titles may be specified. The asset group title “All” as defined in the Qualys user interface may be specified. Multiple asset groups are comma separated. This parameter or another host selection parameter is required. |
ips={nnn, nnn-nnn,...} |
Optional |
Integer |
Selects hosts by IP address. Enter one or more IP addresses and/or ranges. Multiple entries are comma separated. The parameter value may include a maximum of 512 characters (ascii).This parameter or another host selection parameter is required. |
network_id={value} |
Optional |
Integer |
Only valid when the networks feature is enabled. The network ID for the record. This parameter or another host selection parameter is required. |
tag_set_include={value} |
Optional |
Integer |
Specify a tag set to include. Hosts that match these tags will be included. You identify the tag set by providing tag name or IDs. Multiple entries are comma separated. |
tag_set_exclude={value} |
Optional |
Integer |
Specify a tag set to exclude. Hosts that match these tags will be excluded. You identify the tag set by providing tag name or IDs. Multiple entries are comma separated. |
tag_set_by ={id|name} |
Optional |
Integer |
Specify “id” (the default) to select a tag set by providing tag IDs. Specify “name” to select a tag set by providing tag names. |
tag_include_selector={all|any} |
Optional |
Boolean |
Select “any” (the default) to include hosts that match at least one of the selected tags. Select “all” to include hosts that match all of the selected tags. |
tag_exclude_selector={all|any} |
Optional |
Boolean |
Select “any” (the default) to exclude hosts that match at least one of the selected tags. Select “all” to exclude hosts that match all of the selected tags. |
use_ip_nt_range_tags_include ={0|1} |
Optional |
Integer |
Specify “0” (the default) to select from all tags (tags with any tag rule). Specify “1” to scan all IP addresses defined in tag selection. When this is specified, only tags with the dynamic IP address rule called “IP address in Network Range(s)” can be selected. |
use_ip_nt_range_tags_exclude={0|1} |
Optional |
Integer |
Specify “0” (the default) to select from all tags (tags with any tag rule). Specify “1” to exclude all IP addresses defined in tag selection. When this is specified, only tags with the dynamic IP address rule called “IP address in Network Range(s)” can be selected. |
dns_contains={value} |
Optional |
String |
Selects hosts by DNS host name. Specify a text string contained in one or more DNS host names. The text string may include a maximum of 100 characters (ascii). This parameter or another host selection parameter is required. |
netbios_contains={value} |
Optional |
String |
Selects hosts by NetBIOS host name. Specify a text string contained in one or more NetBIOS host names. The text string may include a maximum of 100 characters (ascii).This parameter or another host selection parameter is required. |
API Request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d "action=ignore&qids=38304&comments=ignore vuln on tags&tag_set_include=ignore_vuln_tags&tag_set_exclude=ignore_vuln_tags&tag_set_by=name&tag_include_selector=any&tag_exclude_selector=any&use_ip_nt_range_tags_include=0&use_ip_nt_range_tags_exclude=0" "https://<qualys_base_url>/api/2.0/fo/ignore_vuln/index.php"
API Request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d "action=restore&qids=38304&comments=ignore vuln on tags&tag_set_include=ignore_vuln_tags&tag_set_exclude=ignore_vuln_tags&tag_set_by=name&tag_include_selector=any&tag_exclude_selector=any&use_ip_nt_range_tags_include=0&use_ip_nt_range_tags_exclude=0" "https://<qualys_base_url>/api/2.0/fo/ignore_vuln/index.php"
<platform API server>/api/2.0/dtd/fo/ignore_vuln_output.dtd