Using the Report Creation API you can create the Scorecard Report. A Scorecard Report ranks the vulnerability of your web applications.
Permissions required - User must have WAS module enabled. User account must have these permissions: Access Permission “API Access” and “Create Report”.
These elements are optional and act as filters. When multiple elements are specified, parameters are combined using a logical AND. For details, refer to Reference: Report Creation.
Click here for available operators
|
Parameter |
Mandatory /Optional |
Data Type |
Description |
|---|---|---|---|
|
target.tags.included.option |
Optional |
keyword: ALL or ANY |
Decides which web applications should be included in the scan. ALL : Only the web applications associated with all the specified tags are included in the scan. ANY : Only the web applications associated with any of the specified tags included in the scan. |
|
target.tags.included.tagList.Tag.id |
Optional |
integer |
The web applications associated with the tag (identified by the specified tag ID) are included in the scan. |
|
filters.searchlists |
Optional |
SearchList |
Number of search lists to report on vulnerabilities in those lists. If no search lists are selected, the report will include all findings. |
|
filters.scanDate |
Optional |
DatetimeRange |
Filter by Scan date. |
|
filters.scanStatus |
Optional |
WasScanConsolidatedStatus |
Filter by scan status. |
|
filters.scanAuthStatus |
Optional |
WasScanAuthStatus |
Filter by authentication status of the scan. |
|
format |
Optional |
keyword |
Report format, one of: WORD, HTML_ZIPPED, HTML_BASE64, PDF, PDF_ENCRYPTED, CSV, CSV_V2, XML, POWERPOINT |
|
display.contents |
Optional |
ScorecardReportContent |
DESCRIPTION, SUMMARY, GRAPHS, RESULTS, INDIVIDUAL_RECORDS |
|
target.tags.excluded.option |
Optional |
keyword: ALL or ANY |
Decides which web applications should be excluded from the scan. ALL : Only the web applications associated with all the specified tags are excluded from the scan. ANY : Only the web applications associated with any of the specified tags are excluded from the scan. |
|
target.tags.excluded.tagList.Tag.id |
Optional |
integer |
The web applications associated with the tag (identified by the specified tag ID) are excluded from the scan. |
|
display.graphs |
Optional |
ScorecardReportGraph |
The graphs to be included in |
|
display.groups |
Optional | ScorecardReportGroup |
The group category to be included in the report: |
|
display.options |
Optional | boolean |
Display Options used/not used by the scorecard report. |
Let us create a scorecard report in PDF format, selecting a single tag for the target.
API request
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @-
"<qualys_base_url>/qps/rest/3.0/create/was/report" < file.xml
Note: “file.xml” contains the request POST data.
Request POST data
<ServiceRequest>
<data>
<Report>
<name>
<![CDATA[with all parameters PDF with rawLevel false]]>
</name>
<description>
<![CDATA[A simple scorecard report]]>
</description>
<format>PDF</format>
<type>WAS_SCORECARD_REPORT</type>
<config>
<scorecardReport>
<target>
<tags>
<included>
<option>ALL</option>
<tagList>
<Tag>
<id>7821676</id>
</Tag>
</tagList>
</included>
</tags>
</target>
<display>
<contents>
<ScorecardReportContent>DESCRIPTION</ScorecardReportContent>
<ScorecardReportContent>SUMMARY</ScorecardReportContent>
<ScorecardReportContent>GRAPHS</ScorecardReportContent>
<ScorecardReportContent>RESULTS</ScorecardReportContent>
</contents>
<graphs>
<ScorecardReportGraph>VULNERABILITIES_BY_GROUP</ScorecardReportGraph>
<ScorecardReportGraph>VULNERABILITIES_BY_OWASP</ScorecardReportGraph>
<ScorecardReportGraph>VULNERABILITIES_BY_WASC</ScorecardReportGraph>
</graphs>
<groups>
<scorecardReportGroup>GROUP
</ScorecardReportGroup>
<ScorecardReportGroup>OWASP</ScorecardReportGroup>
<ScorecardReportGroup>WASC</ScorecardReportGroup>
</groups>
<options>
<rawLevels>false</rawLevels>
</options>
</display>
<filters>
<searchlists>
<SearchList>
<id>43147</id>
</SearchList>
<SearchList>
<id>43147</id>
</SearchList>
</searchlists>
<scanDate>
<startDate>2017-08-28</startDate>
<endDate>2017-10-28</endDate>
</scanDate>
<scanStatus>NO_HOST_ALIVE</scanStatus>
<scanAuthStatus>NONE</scanAuthStatus>
</filters>
</scorecardReport>
</config>
</Report>
</data>
</ServiceRequest>
XML response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="<qualys_base_url>/qps/xsd/3.0/was/report.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<data>
<Report>
<id>4629</id>
</Report>
</data>
</ServiceResponse>
Let’s generate a scorecard report in HTML format using a specific template (identified by its template ID).
API request
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @
"<qualys_base_url>/qps/rest/3.0/create/was/report" < file.xml
Note: “file.xml” contains the request POST data.
Request POST data
<ServiceRequest>
<data>
<Report>
<name>
<![CDATA[with all parameters PDF with rawLevel false]]>
</name>
<description>
<![CDATA[A simple scorecard report]]>
</description>
<format>PDF</format>
<type>WAS_SCORECARD_REPORT</type>
<config>
<scorecardReport>
<target>
<tags>
<included>
<option>ALL</option>
<tagList>
<Tag>
<id>7821676</id>
</Tag>
</tagList>
</included>
</tags>
</target>
<display>
<contents>
<ScorecardReportContent>DESCRIPTION</ScorecardReportContent>
<ScorecardReportContent>SUMMARY</ScorecardReportContent>
<ScorecardReportContent>GRAPHS</ScorecardReportContent>
<ScorecardReportContent>RESULTS</ScorecardReportContent>
</contents>
<graphs>
<ScorecardReportGraph>VULNERABILITIES_BY_GROUP</ScorecardReportGraph>
<ScorecardReportGraph>VULNERABILITIES_BY_OWASP</ScorecardReportGraph>
<ScorecardReportGraph>VULNERABILITIES_BY_WASC</ScorecardReportGraph>
</graphs>
<groups>
<ScorecardReportGroup>GROUP</ScorecardReportGroup>
<ScorecardReportGroup>OWASP</ScorecardReportGroup>
<ScorecardReportGroup>WASC</ScorecardReportGroup>
</groups>
<options>
<rawLevels>false</rawLevels>
</options>
</display>
<filters>
<searchlists>
<SearchList>
<id>43147</id>
</SearchList>
<SearchList>
<id>43147</id>
</SearchList>
</searchlists>
<scanDate>
<startDate>2017-08-28</startDate>
<endDate>2017-10-28</endDate>
</scanDate>
<scanStatus>NO_HOST_ALIVE</scanStatus>
<scanAuthStatus>NONE</scanAuthStatus>
</filters>
</scorecardReport>
</config>
</Report>
</data>
</ServiceRequest>
XML response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="<qualys_base_url>/qps/xsd/3.0/
was/report.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<data>
<Report>
<id>973058</id>
</Report>
</data>
</ServiceResponse>
<platform API server>/qps/xsd/3.0/was/report.xsd