Release 10.32.2 API

February 11, 2025 (Updated on March 03, 2025)

Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.

We have implemented versioning for APIs. For more information on API versioning, refer to the Introducing API Versioning: A Strategic Upgrade for Enhanced Stability and Control for API Integrations blog.

What's New?

Qualys Policy Compliance (PC)

Get Posture Info API: Enhancement to Provide Control Description

New or Updated API Updated
API Endpoint /pcrs/3.0/posture/postureInfo
Method POST
DTD or XSD changes No

With this release, we have introduced a new description section within the evidence section to display the control description in the JSON response. You can now view the control description for a particular host posture when you execute this API. This helps you to take the proper remediation actions.

Sample - Get Control description under Evidence sectionSample - Get Control description under Evidence section

API Request

curl -X POST "https://<qualys_base_url>/pcrs/3.0/posture/postureInfo?evidenceRequired=1&compressionRequired=0"
-H "accept: */*"
-H "Authorization: Bearer token"
-H "Content-Type: application/json"-d "[{\"policyId\":\"POLICY ID\",\"subscriptionId\":\"SUBSCRIPTION ID\",\"hostIds\":[\"HOST ID1\",\"HOST ID2\"]}]" 

JSON Response

{
        "id": 20245394,
        "instance": "os",
        "policyId": 1455112,
        "policyTitle": "Linux_IP_TRACKED_IPV4_POLICY_AG",
        "netBios": null,
        "controlId": 1071,
        "controlStatement": "Status of the 'Minimum Password Length' setting",
        "rationale": "Among the several characteristics that make 'user identification' via password a secure and workable solution is setting a 'minimum password length' requirement.  Each character that is added to the password length squares the difficulty of breaking the password via 'brute force,' which attempts using every combination possible within the password symbol set-space, in order to discover a user's password.  While no 'minimum length' can be guaranteed secure, eight (8) is commonly considered to be the minimum for most application access, along with requiring other password security factors, such as increasing the size of the symbol set-space by requiring mixed-cases, along with other forms of password variability creation, increases the difficulty of breaking any password by brute-force attack.",
        "remediation": "To specify password length requirements for new accounts, edit the file \"/etc/login.defs\" and add or correct the following lines: \n\nPASS_MIN_LEN 
<required value>\n\nexample:\n\nPASS_MIN_LEN 14\n\n\nNote:\nThe DoD requirement is \"14\". If a program consults \"/etc/login.defs\" and also another PAM module (such as \"pam_cracklib\") during a password change operation, then the most restrictive must be satisfied.",
        "category": "Access Control Requirements",
        "subCategory": "Authentication/Passwords",
        "controlReference": null,
        "technologyId": 43,
        "status": "Passed",
        "previousStatus": "Passed",
        "firstFailDate": "",
        "lastFailDate": "",
        "firstPassDate": "2024-11-06T10:40:30Z",
        "lastPassDate": "2024-11-15T01:22:58Z",
        "postureModifiedDate": "2024-11-06T10:40:30Z",
        "lastEvaluatedDate": "2024-11-15T01:22:58Z",
        "created": "2025-02-05T06:01:09Z",
        "hostId": 6396397,
        "ip": "10.11.70.111",
        "trackingMethod": "IP",
        "os": null,
        "osCpe": "cpe:/o:centos:centos:6.6:::",
        "domainName": null,
        "dns": null,
        "qgHostid": null,
        "networkId": 0,
        "networkName": "Global Default Network",
        "complianceLastScanDate": "2024-11-06T10:42:29Z",
        "customerUuid": "e57ba830-15e4-714c-8243-6d1740d3577e",
        "customerId": "2309240",
        "assetId": 50568616,
        "technology": {
            "id": 43,
            "name": "CentOS 6.x"
        },
        "criticality": {
            "label": "urg_updated",
            "value": 5
        },
        "evidence": {
            "expectedValues": "\nSetting not found\n------------ OR ------------\nFile not found\n------------ OR ------------\ngreater than or equal to\n0",
            "currentValues": [
                "5"
            ],
            "actualValues": null,
            "directoryFimUdc": null,
            "lastUpdated": "2024-11-06T10:42:29Z",
            "extendedEvidence": "Row 1:File name,Setting,Value\nRow 2:/etc/login.defs,PASS_MIN_LEN,5\n",
            "description": "The following Integer value X indicates the current value of the PASS_MIN_LEN setting as defined within the /etc/login.defs file."
        },
        "causeOfFailure": null,
        "userDefinedAttributesList": null,
        "currentDataSizeKB": "2.88",
        "totalDataSizeKB": "2.88",
        "currentBatch": 1,
        "totalBatches": 1,
        "CLOUD_RESOURCE_ID": null
    }

Issues Addressed

The following reported and notable customer API issue has been fixed in this release:

Component/Category Application
 		 Description
VM - Scan API Vulnerability Management When the users executed a list scan schedules API /api/3.0/fo/schedule/scan/, the fqdn parameter did not work, and they faced issues. Relevant changes were made to fix the issue. The fqdn parameter now supports only create and update schedule scans. This is documented in the Qualys API (VM/PC): PDF and HTML
PC - API Policy Compliance When the subusers launched policy report based on host ID and instance string with OS, using the API /api/2.0/fo/report/, subusers were getting the output as parameter instance_string has invalid value: os for AGMS account. Relevant code changes have been made to fix the issue.