Qualys Cloud Platform 3.7 (WAS/AM/CA) API notification 1

Jeff Leggett

A new release of Qualys Cloud Platform 3.7 (WAS/AM/CA)) includes an updated API which is targeted for release in July 2021. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API.

What’s New
WAS API: Added Support for Scanning Swagger/OpenAPI file

/qps/rest/3.0/get/was/webapp/
/qps/rest/3.0/create/was/webapp
/qps/rest/3.0/update/was/webapp/

With this release, you can now scan Swagger-based REST APIs for vulnerabilities. To scan the API, you need to specify the content of the Swagger/OpenAPI file in YAML or JSON format in the new parameter “swaggerFile” when creating or updating a web application. Note that we support scanning single API at a time

WAS API: Added Support for Scanning Postman Collection files
/qps/rest/3.0/get/was/webapp/
/qps/rest/3.0/create/was/webapp
/qps/rest/3.0/update/was/webapp/

With this release, we now support scanning Postman Collection file from API. We have added new parameters to specify 1) Postman Collection File, 2) Postman Environment Variables File, and 3) Postman Global variables File when creating or updating a web application. While creating the web application, the Postman Collection File is a mandatory parameter whereas specifying the Postman Environmental Variables and Postman Global Variables files is optional.

WAS API: Added Support for Parameters in Selenium Script for Authentication
/qps/rest/3.0/get/was/webappauthrecord/
/qps/rest/3.0/create/was/webappauthrecord
/qps/rest/3.0/update/was/webappauthrecord/

With this release, you can now specify username and password in the authentication record for Selenium authentication type and then use them in the Selenium script. You can use these 2 placeholders: @@authusername@@ and @@authpassword@@ inside the selenium script. The names of the placeholders are case insensitive.

AM API: Change of Behavior for Deleting Assets
/qps/rest/2.0/delete/am/hostasset/
/qps/rest/2.0/delete/am/asset/
/qps/rest/2.0/delete/am/hostasset/
/qps/rest/2.0/delete/am/asset/

Earlier, the delete asset request did not sync into the Vulnerability Management, Policy Compliance, and Security Configuration Assessment modules. Now, the delete request will delete VM-enabled assets in an asynchronous way and hence it will take some time to delete assets across all modules. It will also take time for the changes to reflect in the API response and on the UI. This change is to ensure a consistent asset count between all modules. After this change, by default, there will be a daily purge limit of deleting 50000 assets per day. However, the daily purge limit is configurable at the platform level and might change in future.

AM API: Added Support for Calculating Asset Criticality
/qps/rest/2.0/create/am/tag
/qps/rest/2.0/search/am/tag
/qps/rest/2.0/update/am/tag/qps/rest/2.0/update/am/tag/
/qps/rest/2.0/search/am/hostasset
/qps/rest/2.0/get/am/hostasset

With this release, you can now assign criticality to asset tags which is then assigned to assets. We have added a new parameter, Criticality Score that allows you add a criticality to asset tags. Asset Criticality score is calculated on the basis of attached tags. If multiple tags are attached to an asset, then the highest criticality value from assigned tags is considered as criticality score for an asset.

CA API: Ability to Download Installer Binaries
/qps/rest/1.0/download/ca/downloadbinary/
With this release, you can download installer binaries using API. You must provide platform and architecture parameters in the request body of the REST API request.

The release notes are here: https://www.qualys.com/docs/release-notes/qualys-cloud-platform-3.7-api-release-notes.pdf
(NOTE: We have made a small change to how we attach release notes going forward. Previously we attached the PDF of release notes to these notifications directly, but going forward we will reference the link. The pre-release release notes and the post-release release notes will all be on this same link, depending on the time you look at it, so even if you reference the RN’s days or weeks later, you will always be referencing the latest version.)

Share your Comments

Comments

Your email address will not be published. Required fields are marked *