Enterprise TruRisk™ Platform Release 10.37.1 API
January 29, 2026
In the API Release Notes, <qualys_base_url> is used as a sample API request to represent the API server URL. To learn more about the API server URL for your environment, refer to the Know Your Qualys API Server URL section.
API versioning is supported across Qualys APIs. To learn more about versioning standards and deprecation timelines, refer to the Updates on API Versioning Standards & Deprecation Timelines blog.
Qualys Vulnerability Management (VM)
Import and Export Option Profile API: Improved Validation Error Response
| New or Updated API | Updated |
| API Endpoint |
/api/5.0/fo/subscription/option_profile/?action=import |
| EOS Timeline: July 2026 | |
| EOL Timeline: January 2027 | |
| API Endpoint (New Version) |
/api/6.0/fo/subscription/option_profile/?action=import /api/6.0/fo/subscription/option_profile/?action=export |
| Method | POST and GET |
| DTD or XSD changes | No |
With this release, version 6.0 of the Import and Export Option Profile APIs is introduced.
Previously, when an option profile import or export failed due to validation errors, the API returned error messages embedded as raw PHP array output, which resulted in poorly formatted and non–user–friendly XML responses.
With v6.0, validation errors are now returned as well-formed XML. Each validation error is displayed on a separate, numbered line, and includes the corresponding XML line number and schema validation message.
This improvement enhances readability and simplifies troubleshooting for API users.
- There are no changes to the request schema or existing error codes.
- Import and Export Option Profile APIs in earlier versions continue to function without change.
Sample - Import Option ProfileSample - Import Option Profile
API Request
curl --location --request POST '<qualys_base_url>/api/6.0/fo/subscription/option_profile/?action=import' \
--header 'Content-Type: application/xml' \
--header 'Accept: */*' \
--header 'x-requested-with: curl demo2' \
--header 'Authorization: Bearer <JWT Token \
--data '<?xml version="1.0" encoding="UTF-8" ?>
Request POST Data
<!DOCTYPE OPTION_PROFILES SYSTEM "<qualys_base_url>/api/6.0/fo/subscription/option_profile/option_profile_info.dtd">
<OPTION_PROFILES>
<OPTION_PROFILE>
<BASIC_INFO>
<ID>3494139</ID>
<GROUP_NAME>
<![CDATA[Import Option Profile 1]]>
</GROUP_NAME>
<GROUP_TYPE>user</GROUP_TYPE>
<USER_ID>
<![CDATA[Aditya Gangadharan (vmsp_ag1)]]>
</USER_ID>
<UNIT_ID>0</UNIT_ID>
<SUBSCRIPTION_ID>970969</SUBSCRIPTION_ID>
<IS_DEFAULT>0</IS_DEFAULT>
<IS_GLOBAL>1</IS_GLOBAL>
<IS_OFFLINE_SYNCABLE>1</IS_OFFLINE_SYNCABLE>
<UPDATE_DATE>2026-01-19T06:54:38Z</UPDATE_DATE>
</BASIC_INFO>
<SCAN>
<PORTS>
<TCP_PORTS>
<TCP_PORTS_TYPE>standard</TCP_PORTS_TYPE>
<THREE_WAY_HANDSHAKE>0</THREE_WAY_HANDSHAKE>
</TCP_PORTS>
<UDP_PORTS>
<UDP_PORTS_TYPE>standard</UDP_PORTS_TYPE>
<UDP_PORTS_ADDITIONAL>
<HAS_ADDITIONAL>1</HAS_ADDITIONAL>
<ADDITIONAL_PORTS>8080</ADDITIONAL_PORTS>
</UDP_PORTS_ADDITIONAL>
</UDP_PORTS>
<AUTHORITATIVE_OPTION>0</AUTHORITATIVE_OPTION>
</PORTS>
<SCAN_DEAD_HOSTS>1</SCAN_DEAD_HOSTS>
<CLOSE_VULNERABILITIES>
<HAS_CLOSE_VULNERABILITIES>1</HAS_CLOSE_VULNERABILITIES>
<HOST_NOT_FOUND_ALIVE>2</HOST_NOT_FOUND_ALIVE>
</CLOSE_VULNERABILITIES>
<PURGE_OLD_HOST_OS_CHANGED>0</PURGE_OLD_HOST_OS_CHANGED>
<PERFORMANCE>
<PARALLEL_SCALING>1</PARALLEL_SCALING>
<OVERALL_PERFORMANCE>High</OVERALL_PERFORMANCE>
<HOSTS_TO_SCAN>
<EXTERNAL_SCANNERS>20</EXTERNAL_SCANNERS>
<SCANNER_APPLIANCES>50</SCANNER_APPLIANCES>
</HOSTS_TO_SCAN>
<PROCESSES_TO_RUN>
<TOTAL_PROCESSES>20</TOTAL_PROCESSES>
<HTTP_PROCESSES>20</HTTP_PROCESSES>
</PROCESSES_TO_RUN>
<PACKET_DELAY>Short</PACKET_DELAY>
<PORT_SCANNING_AND_HOST_DISCOVERY>Normal</PORT_SCANNING_AND_HOST_DISCOVERY>
</PERFORMANCE>
<LOAD_BALANCER_DETECTION>1</LOAD_BALANCER_DETECTION>
<PASSWORD_BRUTE_FORCING>
<SYSTEM>
<HAS_SYSTEM>1</HAS_SYSTEM>
<SYSTEM_LEVEL>Standard</SYSTEM_LEVEL>
</SYSTEM>
</PASSWORD_BRUTE_FORCING>
<VULNERABILITY_DETECTION>
<COMPLETE>
<![CDATA[complete]]>
</COMPLETE>
<DETECTION_INCLUDE>
<BASIC_HOST_INFO_CHECKS>0</BASIC_HOST_INFO_CHECKS>
<OVAL_CHECKS>0</OVAL_CHECKS>
<QRDI_CHECKS>1</QRDI_CHECKS>
</DETECTION_INCLUDE>
</VULNERABILITY_DETECTION>
<AUTHENTICATION>
<![CDATA[Windows,Unix,Oracle,Oracle Listener,SNMP,VMware,DB2,HTTP,MySQL,MongoDB,Tomcat Server,Oracle Weblogic Server,Palo Alto Networks Firewall,Jboss Server,Sybase,Nutanix,NSX]]>
</AUTHENTICATION>
<AUTHENTICATION_LEAST_PRIVILEGE>
<![CDATA[Unix]]>
</AUTHENTICATION_LEAST_PRIVILEGE>
<ADDL_CERT_DETECTION>1</ADDL_CERT_DETECTION>
<SYSTEM_AUTH_RECORD>
<INCLUDE_SYSTEM_AUTH>
<ON_DUPLICATE_USE_USER_AUTH>1</ON_DUPLICATE_USE_USER_AUTH>
</INCLUDE_SYSTEM_AUTH>
</SYSTEM_AUTH_RECORD>
<LITE_OS_SCAN>1</LITE_OS_SCAN>
<HOST_ALIVE_TESTING>1</HOST_ALIVE_TESTING>
<MAX_SCAN_DURATION_PER_ASSET>2500</MAX_SCAN_DURATION_PER_ASSET>
</SCAN>
<MAP>
<BASIC_INFO_GATHERING_ON>all</BASIC_INFO_GATHERING_ON>
<TCP_PORTS>
<TCP_PORTS_STANDARD_SCAN>1</TCP_PORTS_STANDARD_SCAN>
</TCP_PORTS>
<UDP_PORTS>
<UDP_PORTS_STANDARD_SCAN>1</UDP_PORTS_STANDARD_SCAN>
</UDP_PORTS>
<MAP_OPTIONS>
<PERFORM_LIVE_HOST_SWEEP>1</PERFORM_LIVE_HOST_SWEEP>
<DISABLE_DNS_TRAFFIC>1</DISABLE_DNS_TRAFFIC>
</MAP_OPTIONS>
<MAP_PERFORMANCE>
<OVERALL_PERFORMANCE>High</OVERALL_PERFORMANCE>
<MAP_PARALLEL>
<EXTERNAL_SCANNERS>8</EXTERNAL_SCANNERS>
<SCANNER_APPLIANCES>10</SCANNER_APPLIANCES>
<NETBLOCK_SIZE>4096 IPs</NETBLOCK_SIZE>
</MAP_PARALLEL>
<PACKET_DELAY>Minimum</PACKET_DELAY>
</MAP_PERFORMANCE>
<MAP_AUTHENTICATION>none</MAP_AUTHENTICATION>
</MAP>
<ADDITIONAL>
<HOST_DISCOVERY>
<TCP_PORTS>
<STANDARD_SCAN>1</STANDARD_SCAN>
</TCP_PORTS>
<UDP_PORTS>
<STANDARD_SCAN>1</STANDARD_SCAN>
</UDP_PORTS>
<ICMP>1</ICMP>
</HOST_DISCOVERY>
<PACKET_OPTIONS>
<IGNORE_FIREWALL_GENERATED_TCP_RST>1</IGNORE_FIREWALL_GENERATED_TCP_RST>
<IGNORE_ALL_TCP_RST>1</IGNORE_ALL_TCP_RST>
<IGNORE_FIREWALL_GENERATED_TCP_SYN_ACK>1</IGNORE_FIREWALL_GENERATED_TCP_SYN_ACK>
<NOT_SEND_TCP_ACK_OR_SYN_ACK_DURING_HOST_DISCOVERY>1</NOT_SEND_TCP_ACK_OR_SYN_ACK_DURING_HOST_DISCOVERY>
</PACKET_OPTIONS>
</ADDITIONAL>
</OPTION_PROFILE>
</OPTION_PROFILES>
XML Output
?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE SIMPLE_RETURN SYSTEM "<qualys_base_url>/api/6.0/simple_return.dtd">
<SIMPLE_RETURN>
<RESPONSE>
<DATETIME>2026-01-19T09:48:09Z</DATETIME>
<TEXT>Successfully imported Option profile for the subscription Id 970969</TEXT>
<ITEM_LIST>
<ITEM>
<KEY>3494173</KEY>
<VALUE>
Import Option Profile 1
</VALUE>
</ITEM>
</ITEM_LIST>
</RESPONSE>
</SIMPLE_RETURN>
Sample - Export Option ProfileSample - Export Option Profile
API Request
curl --location '<qualys_base_url>/api/6.0/fo/subscription/option_profile/?action=export&option_profile_id=3494139' \ --header 'Content-Type: application/xml' \ --header 'Accept: */*' \ --header 'x-requested-with: curl demo2' \ --header 'Authorization: Bearer <JWT Token>
XML Output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE OPTION_PROFILES SYSTEM "<qualys_base_url>/api/6.0/fo/subscription/option_profile/option_profile_info.dtd">
<OPTION_PROFILES>
<OPTION_PROFILE>
<BASIC_INFO>
<ID>3494139</ID>
<GROUP_NAME>
<![CDATA[Abhishek OP Full Enabled Do not use]]>
</GROUP_NAME>
<GROUP_TYPE>user</GROUP_TYPE>
<USER_ID>
<![CDATA[Aditya Gangadharan (vmsp_ag1)]]>
</USER_ID>
<UNIT_ID>0</UNIT_ID>
<SUBSCRIPTION_ID>970969</SUBSCRIPTION_ID>
<IS_DEFAULT>0</IS_DEFAULT>
<IS_GLOBAL>1</IS_GLOBAL>
<IS_OFFLINE_SYNCABLE>1</IS_OFFLINE_SYNCABLE>
<UPDATE_DATE>2026-01-19T06:54:38Z</UPDATE_DATE>
</BASIC_INFO>
<SCAN>
<PORTS>
<TCP_PORTS>
<TCP_PORTS_TYPE>standard</TCP_PORTS_TYPE>
<THREE_WAY_HANDSHAKE>0</THREE_WAY_HANDSHAKE>
</TCP_PORTS>
<UDP_PORTS>
<UDP_PORTS_TYPE>standard</UDP_PORTS_TYPE>
<UDP_PORTS_ADDITIONAL>
<HAS_ADDITIONAL>1</HAS_ADDITIONAL>
<ADDITIONAL_PORTS>8080</ADDITIONAL_PORTS>
</UDP_PORTS_ADDITIONAL>
</UDP_PORTS>
<AUTHORITATIVE_OPTION>0</AUTHORITATIVE_OPTION>
</PORTS>
<SCAN_DEAD_HOSTS>1</SCAN_DEAD_HOSTS>
<CLOSE_VULNERABILITIES>
<HAS_CLOSE_VULNERABILITIES>1</HAS_CLOSE_VULNERABILITIES>
<HOST_NOT_FOUND_ALIVE>2</HOST_NOT_FOUND_ALIVE>
</CLOSE_VULNERABILITIES>
<PURGE_OLD_HOST_OS_CHANGED>0</PURGE_OLD_HOST_OS_CHANGED>
<PERFORMANCE>
<PARALLEL_SCALING>1</PARALLEL_SCALING>
<OVERALL_PERFORMANCE>High</OVERALL_PERFORMANCE>
<HOSTS_TO_SCAN>
<EXTERNAL_SCANNERS>20</EXTERNAL_SCANNERS>
<SCANNER_APPLIANCES>50</SCANNER_APPLIANCES>
</HOSTS_TO_SCAN>
<PROCESSES_TO_RUN>
<TOTAL_PROCESSES>20</TOTAL_PROCESSES>
<HTTP_PROCESSES>20</HTTP_PROCESSES>
</PROCESSES_TO_RUN>
<PACKET_DELAY>Short</PACKET_DELAY>
<PORT_SCANNING_AND_HOST_DISCOVERY>Normal</PORT_SCANNING_AND_HOST_DISCOVERY>
</PERFORMANCE>
<LOAD_BALANCER_DETECTION>1</LOAD_BALANCER_DETECTION>
<PASSWORD_BRUTE_FORCING>
<SYSTEM>
<HAS_SYSTEM>1</HAS_SYSTEM>
<SYSTEM_LEVEL>Standard</SYSTEM_LEVEL>
</SYSTEM>
</PASSWORD_BRUTE_FORCING>
<VULNERABILITY_DETECTION>
<COMPLETE>
<![CDATA[complete]]>
</COMPLETE>
<DETECTION_INCLUDE>
<BASIC_HOST_INFO_CHECKS>0</BASIC_HOST_INFO_CHECKS>
<OVAL_CHECKS>0</OVAL_CHECKS>
<QRDI_CHECKS>1</QRDI_CHECKS>
</DETECTION_INCLUDE>
</VULNERABILITY_DETECTION>
<AUTHENTICATION>
<![CDATA[Windows,Unix,Oracle,Oracle Listener,SNMP,VMware,DB2,HTTP,MySQL,MongoDB,Tomcat Server,Oracle Weblogic Server,Palo Alto Networks Firewall,Jboss Server,Sybase,Nutanix,NSX]]>
</AUTHENTICATION>
<AUTHENTICATION_LEAST_PRIVILEGE>
<![CDATA[Unix]]>
</AUTHENTICATION_LEAST_PRIVILEGE>
<ADDL_CERT_DETECTION>1</ADDL_CERT_DETECTION>
<SYSTEM_AUTH_RECORD>
<INCLUDE_SYSTEM_AUTH>
<ON_DUPLICATE_USE_USER_AUTH>1</ON_DUPLICATE_USE_USER_AUTH>
</INCLUDE_SYSTEM_AUTH>
</SYSTEM_AUTH_RECORD>
<LITE_OS_SCAN>1</LITE_OS_SCAN>
<HOST_ALIVE_TESTING>1</HOST_ALIVE_TESTING>
<MAX_SCAN_DURATION_PER_ASSET>2500</MAX_SCAN_DURATION_PER_ASSET>
<DO_NOT_OVERWRITE_OS>1</DO_NOT_OVERWRITE_OS>
<TEST_AUTHENTICATION>1</TEST_AUTHENTICATION>
<PERFORM_PARTIAL_SSL_TLS_AUDITING>1</PERFORM_PARTIAL_SSL_TLS_AUDITING>
</SCAN>
<MAP>
<BASIC_INFO_GATHERING_ON>all</BASIC_INFO_GATHERING_ON>
<TCP_PORTS>
<TCP_PORTS_STANDARD_SCAN>1</TCP_PORTS_STANDARD_SCAN>
</TCP_PORTS>
<UDP_PORTS>
<UDP_PORTS_STANDARD_SCAN>1</UDP_PORTS_STANDARD_SCAN>
</UDP_PORTS>
<MAP_OPTIONS>
<PERFORM_LIVE_HOST_SWEEP>1</PERFORM_LIVE_HOST_SWEEP>
<DISABLE_DNS_TRAFFIC>1</DISABLE_DNS_TRAFFIC>
</MAP_OPTIONS>
<MAP_PERFORMANCE>
<OVERALL_PERFORMANCE>High</OVERALL_PERFORMANCE>
<MAP_PARALLEL>
<EXTERNAL_SCANNERS>8</EXTERNAL_SCANNERS>
<SCANNER_APPLIANCES>10</SCANNER_APPLIANCES>
<NETBLOCK_SIZE>4096 IPs</NETBLOCK_SIZE>
</MAP_PARALLEL>
<PACKET_DELAY>Minimum</PACKET_DELAY>
</MAP_PERFORMANCE>
<MAP_AUTHENTICATION>none</MAP_AUTHENTICATION>
</MAP>
<ADDITIONAL>
<HOST_DISCOVERY>
<TCP_PORTS>
<STANDARD_SCAN>1</STANDARD_SCAN>
</TCP_PORTS>
<UDP_PORTS>
<STANDARD_SCAN>1</STANDARD_SCAN>
</UDP_PORTS>
<ICMP>1</ICMP>
</HOST_DISCOVERY>
<PACKET_OPTIONS>
<IGNORE_FIREWALL_GENERATED_TCP_RST>1</IGNORE_FIREWALL_GENERATED_TCP_RST>
<IGNORE_ALL_TCP_RST>1</IGNORE_ALL_TCP_RST>
<IGNORE_FIREWALL_GENERATED_TCP_SYN_ACK>1</IGNORE_FIREWALL_GENERATED_TCP_SYN_ACK>
<NOT_SEND_TCP_ACK_OR_SYN_ACK_DURING_HOST_DISCOVERY>1</NOT_SEND_TCP_ACK_OR_SYN_ACK_DURING_HOST_DISCOVERY>
</PACKET_OPTIONS>
</ADDITIONAL>
</OPTION_PROFILE>
</OPTION_PROFILES>
Issues Addressed
The following reported and notable customer issues are fixed in this release:
| Component/Category | Application |
Description |
| VM - Asset Groups | Vulnerability Management | When users performed Edit Asset Group API operations to add or remove scanner appliances in AGMS enabled accounts, the default scanner was unexpectedly changed, even though no default scanner was specified in the request. Additionally, the Activity Log displayed an incorrect No Changes Done message for asset groups that were successfully updated through the API. This issue has been fixed, and the default scanner is now updated only when explicitly specified. Scanner-related changes made through the API are also correctly recorded in the Activity Log. |
| VM - Host List Detection API | Vulnerability Management | When users queried the VMDR Host Detection API in EASM‑enabled subscriptions, External Attack Surface Management (EASM) hosts were included in the response, even though those hosts were not returned by the Host List API. This resulted in detection data being returned for hosts that were not part of the standard VMDR asset inventory. This issue has been fixed, and EASM hosts are now excluded from the VMDR Host Detection API output, ensuring consistent behavior across VMDR asset and detection APIs. |
| VM - QID Service | Vulnerability Management | When users tried to download the QVS scores for all CVE IDs using the API endpoint /api/3.0/fo/knowledge_base/qvs/, it was observed that CVE-2023-50495 was not displayed in the output. As per the design, when only the details parameter is passed in the request, the API returns data for all CVEs whose published or last-modified date falls within the last 15 days. This behaviour is now documented in the API User Guide. |