We've enhanced the ability to support large web application scanning programs by adding the ability to scan any number of web applications as a Multi-Scan through API. This feature enables you to scan hundreds or even thousands of web applications you may have in your organization with granular insight into what scans are running and which ones are complete.
Permissions required - User must have WAS module enabled. The user account must have these permissions: Access Permission “API Access” and "Launch WAS Scan". The output includes scan targets in the user's scope.
These elements are optional and act as filters. When multiple elements are specified, parameters are combined using a logical AND. Click here for descriptions of <WebApp> elements
The special field=attributes attribute for the Criteria element is used to search custom attributes (see sample below).
Click here for available operators
|
Parameter |
Mandatory /Optional |
Data Type |
Description |
|---|---|---|---|
|
id |
Optional |
text |
The scan name. |
|
name |
Optional |
integer |
The ID of the web application being scanned. |
|
target.webApp.id1 |
Optional |
keyword |
Decides which web applications should be excluded from the scan. ALL : Only the web applications associated with all the specified tags are excluded from the scan. ANY : Only the web applications associated with any of the specified tags are excluded from the scan. |
|
target.tags.excluded.option |
Optional |
integer |
The web applications associated with the tag (identified by the specified tag ID) are excluded from the scan. |
|
target.tags.excluded.tagList.Tag.id |
Optional |
keyword: ALL or ANY |
Decides which web applications should be included in the scan. ALL : Only the web applications associated with all the specified tags are included in the scan. ANY : Only the web applications associated with any of the specified tags included in the scan. |
|
target.tags.included.option |
Optional |
integer |
The web applications associated with the tag (identified by the specified tag ID) are included in the scan. |
|
target.tags.included. tagList.Tag.id |
Optional |
keyword: ANY, ALL |
Decides which web applications should be included or excluded from the scan. ALL : Only the web applications associated with all the specified tags are excluded from the scan. ANY : Only the web applications associated with any of the specified tags are excluded from the scan. |
|
options |
Optional |
keyword: ANY, ALL |
Type of the scanner appliance to be used for the scan. |
|
type |
Optional |
integer |
The name of the option profile that includes scan settings. The service provides the profile “Initial WAS Options” and we recommend this to get started. Example: <profile> <name>Initial WAS Options</name> </profile> |
|
profile.id2 |
Optional |
integer |
Defines the authentication record to be used during the scan. Set to SPECIFIC -Always use the authRecord passed while launching the scan. Set to DEFAULT- Forces the use of the authRecord, if set, else fall back to the one passed in to the API while launching the scan. |
|
target.authRecordOption |
Optional |
keyword: ALL or ANY |
Defines the option profile to be used during the scan. Set to SPECIFIC - Always use the optionProfile passed while launching the scan. Set to DEFAULT - Forces the use of the optionProfile if set, else fall back to the one passed in to the API while launching the scan. |
|
target.profileOption |
Optional | integer |
Defines the scanner appliance to be used during the scan. Set to SPECIFIC - Always use the scanner passed while launching the scan Set to DEFAULT - Forces the use of the scanner if set, else fall back to the one passed in to the API while launching the scan. |
|
target.scannerOption |
Optional | integer - |
Defines the scanner appliance to be used during the scan. Set to SPECIFIC - Always use the scanner passed while launching the scan Set to DEFAULT - Forces the use of the scanner if set, else fall back to the one passed in to the API while launching the scan. |
|
<cancelOption> |
Optional | Set to DEFAULT |
Forces the use of the target web application's cancelScans option if set, else fall back to the one passed in to the API while launching the scan. Set to SPECIFIC - Always use the cancel scan option passed while launching the scan. |
|
sendMail |
Optional | boolean |
Set to false to disable scan complete email notifications. Example:<sendMail>false</sendMail> |
|
sendOneMail |
Optional | boolean |
Set to true to send one email upon multi-scan completion. Set to false to send one email upon completion of each individual scan. Example:<sendOneMail>true</sendOneMail> Note: sendOneMail is valid only when sendMail = true for a multi-scan (multiple web applications being scanned). If sendMail is set to false, sendOneMail will be ignored. |
1 The element target must have at least tags or web applications specified
2 The element profile (Text) is required unless the target has a default option profile.
Launch a new discovery scan on the web application ID 4330527 and 4330538 using the option profile ID 1070535.
API request
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "<qualys_base_url>/qps/rest/3.0/launch/was/wasscan" < file.xml
Note: “file.xml” contains the request POST data.
Request POST data
<ServiceRequest>
<data>
<WasScan>
<name>1497343127459_Scan7</name>
<type>DISCOVERY</type>
<target>
<scannerAppliance>
<type>EXTERNAL</type>
</scannerAppliance>
<webApps>
<set>
<WebApp>
<id>4330527</id>
</WebApp>
<WebApp>
<id>4330338</id>
</WebApp>
</set>
</webApps>
<profileOption>DEFAULT</profileOption>
</target>
<profile>
<id>1070535</id>
</profile>
</WasScan>
</data>
</ServiceRequest>
XML response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="<qualys_base_url>/qps/xsd/3.0/was/wasscan.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<data>
<WasScan>
<id>2281862</id>
</WasScan>
</data>
</ServiceResponse>
Let’s launch a multi- scan for all the web applications associated with the tags specified in the request filter.
API request
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "<qualys_base_url>/qps/rest/3.0/launch/was/wasscan" < file.xml
Note: “file.xml” contains the request POST data. Request POST data
<?xml version="1.0" encoding="UTF-8"?>
<ServiceRequest>
<data>
<WasScan>
<name>1497343127649_Scan9</name>
<type>DISCOVERY</type>
<target>
<scannerAppliance>
<type>EXTERNAL</type>
</scannerAppliance>
<tags>
<included>
<option>ALL</option>
<tagList>
<set>
<Tag>
<id>12017424</id>
</Tag>
<Tag>
<id>12017228</id>
</Tag>
</set>
</tagList>
</included>
<excluded>
<option>ANY</option>
<tagList>
<set>
<Tag>
<id>12017228</id>
</Tag>
</set>
</tagList>
</excluded>
</tags>
<scannerOption>DEFAULT</scannerOption>
</target>
<profile>
<id>1070535</id>
</profile>
</WasScan>
</data>
</ServiceRequest>
XML response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="<qualys_base_url>/qps/xsd/3.0/was/wasscan.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<data>
<WasScan>
<id>2281863</id>
</WasScan>
</data>
</ServiceResponse>
Launch a new vulnerability scan on web app ID 2376280 and 4114251 and set the cancel scan option to DEFAULT. This forces the use of the target web app’s cancelScans option if set.
API request
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "<qualys_base_url>/qps/rest/3.0/launch/was/wasscan" < file.xml
Note: “file.xml” contains the request POST data.
Request POST data
<ServiceRequest>
<data>
<WasScan>
<name>
<![CDATA[sample Scan]]>
</name>
<type>VULNERABILITY</type>
<target>
<webApps>
<set>
<WebApp>
<id>2376280</id>
</WebApp>
<WebApp>
<id>4114251</id>
</WebApp>
</set>
</webApps>
<scannerAppliance>
<type>EXTERNAL</type>
</scannerAppliance>
<cancelOption>DEFAULT</cancelOption>
</target>
<profile>
<id>2231014</id>
</profile>
</WasScan>
</data>
</ServiceRequest>
XML response
<?xml version="1.0" encoding="UTF-8"?> <ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance" xsi:noNamespaceSchemaLocation="<qualys_base_url>/qps/xs d/3.0/was/wasscan.xsd"> <responseCode>SUCCESS</responseCode> <count>1</count> <data> <WasScan> <id>1275177</id> </WasScan> </data> </ServiceResponse>
Let us launch a scan that allows to send one email on completion of multi-scan (not for each individual scan in the group).
API request
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "<qualys_base_url>/qps/rest/3.0/launch/was/wasscan" < file.xml
Note: “file.xml” contains the request POST data.
Request POST data
<ServiceRequest>
<data>
<WasScan>
<name>
<![CDATA[New Scan]]>
</name>
<type>VULNERABILITY</type>
<target>
<webApps>
<set>
<WebApp>
<id>8389207</id>
</WebApp>
<WebApp>
<id>8389244</id>
</WebApp>
</set>
</webApps>
<scannerAppliance>
<type>EXTERNAL</type>
</scannerAppliance>
</target>
<profile>
<id>2337683</id>
</profile>
<sendOneMail>true</sendOneMail>
</WasScan>
</data>
</ServiceRequest>
XML response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance"
xsi:noNamespaceSchemaLocation="<qualys_base_url>/qps/xs
d/3.0/was/wasscan.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<data>
<WasScan>
<id>3456140</id>
</WasScan>
</data>
</ServiceResponse>
<platform API server>/qps/xsd/3.0/was/wasscan.xsd