Qualys Cloud Platform 10.27 (VM, PC) API Notification 2
Table of Contents
- Whats New?
- Manage Inactive Control Inclusion/Exclusion
- User Information Validation
- View Network Name in Host List Detection API
- Addition of EPSS as QDS Factor
- Manage Containerized Scanner Appliance
- API Changes Regarding Apache Cassandra Record
- View Policy ID in the Report
- All Qualys APIs Updated With Content Security Policy
A new release of Qualys Cloud Platform 10.27 (VM, PC) includes updated APIs which is targeted for release in May 2024. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API.
What’s New?
In this release, we have API changes that include options to exclude inactive controls from host compliance posture info and the addition of EPSS for vulnerability severity analysis. New APIs for managing Containerized Scanner Appliance operations and Apache Cassandra records are introduced, while Policy reports now include Policy ID. Additionally, Content Security Policy implementation enhances API security with restricted content origins.
Manage Inactive Control Inclusion/Exclusion
POST /pcrs/2.0/posture/postureInfo
With this API enhancement, you can now choose to exclude inactive controls (SDC, UDC) from the host compliance posture information in the API response. A new parameter excludeInactiveControl has been introduced to exclude inactive controls.
User Information Validation
POST /msp/user.php
DTD or XSD changes: No
With this release, we have implemented user information input validations when adding or editing users. The list of validations added is available in the detailed release notes.
View Network Name in Host List Detection API
GET, POST /api/2.0/fo/asset/host/vm/detectionDTD or XSD changes: Yes
With this release, we have added the field – Network Name to the HLD API. The field displays the name of the network to which you are connected. The details to be displayed here are matched with the Network ID field and then displayed to the user.
Addition of EPSS as QDS Factor
GET /api/2.0/fo/asset/host/vm/detectionDTD or XSD changes: Yes
GET /api/2.0/fo/knowledge_base/qvs
With this release, EPSS (Exploit Prediction Scoring System) is added in Host List Detection API and KnowledgeBase (CVE centric API) API as a QDS factor. Prior to this, only CVSS, (Common Vulnerability Scoring System), RTI (Real Threat Indicators), and ECM (Exploit Code Maturity) QDS factor was used. Now with EPSS QDS factor, you can analyze the severity of vulnerability and prioritize vulnerability remediation.
Manage Containerized Scanner Appliance
POST /api/2.0/fo/appliance/qcss/?action=create
POST /api/2.0/fo/appliance/qcss/?action=list
POST /api/2.0/fo/appliance/qcss/?action=update
POST /api/2.0/fo/appliance/qcss/?action=delete
With this release we have introduced 4 new APIs in Qualys Containerized Scanner Appliance that enable you to perform create, list, update, and delete operations in Qualys Containerized Scanning Services (QCSS). These APIs (create, list, update, and delete) will be enabled only if you subscribe to it. This subscription can be acquired by connecting with the Qualys Support team.
API Changes Regarding Apache Cassandra Record
New Tag in List Authentication Records API
GET /api/2.0/fo/auth/DTD or XSD changes: Yes
In this release, the Authentication Record List API has been updated. A new tag <AUTH_CASSANDRA_IDS> is introduced in the API response. It will display Apache Cassandra records if you have any in your account.
New API to Create/Update/Delete Apache Cassandra Records
POST /api/2.0/fo/auth/Cassandra
This new API will help you manage the Apache Cassandra Authentication Records, using the action parameter. Supported values are create, list, update, and delete.
View Policy ID in the Report
GET, POST /api/2.0/fo/report/?action=fetchDTD or XSD changes: Yes
With this release, we have added the field Policy ID for the following report formats in Policy reports.
- Extensible Markup Language (XML)
- HTML pages
- Portable Document Format (PDF)
- Web Archive (MHT)
With this API, you can now view the policy ID for the selected policy.
All Qualys APIs Updated With Content Security Policy
With this enhancement, we have implemented Content Security Policy (CSP) to enhance the API security. As a part of this enhancement, we have added Content-Security-Policy HTTP response header with default-src 'self' value. The CSP header defines a policy that restricts which origins or types of content can be executed or loaded, thereby reducing the risk of certain types of attacks like cross-site scripting (XSS) and data injection. Please note that All Qualys APIs, all HTTP methods applicable to respective APIs are updated to support this policy. There are no DTD or XSD changes.
Please refer to the detailed release notes here: https://cdn2.qualys.com/docs/release-notes/qualys-cloud-platform-10.27-api-release-notes.pdf
