Qualys Enterprise TruRisk™ Platform (VM Release 10.39) API Notification
A new release of Qualys Enterprise TruRisk™ Platform (VM Release 10.39), which is released in June 2026, includes updates to an existing API. This API notification highlights recently released changes, enabling you to identify use cases that can benefit from the updated APIs.
What’s New?
Support for CVSSv4.0 Base Score in KnowledgeBase and Report Template
- GET, POST – /api/4.0/fo/knowledge_base/vuln/, DTD or XSD changes: Yes
- GET, POST – /api/3.0/fo/qid/search_list/dynamic/, DTD or XSD changes: Yes
- POST – /api/7.0/fo/report/template/scan/, DTD or XSD changes: No
With this feature, we have provided support to CVSS4.0 in the above APIs, which provide enhanced vulnerability scoring with greater precision and contextual relevance. This helps to deliver accurate and standardized vulnerability insights by providing CVSSv4.0 in the KnowledgeBase and enabling dynamic search operations, improving risk prioritization and automation efficiency. Enhances reporting flexibility and integration through API-driven report templates, reducing manual effort and enabling consistent, scalable security reporting for host and scan-based findings.
You can view the list of CVSS4.0 details in the response for a single QID in KnowledgeBase API.
You can perform the following actions:
- Create, update, and list using the Dynamic Search list API
- Create, update, and export the report template with both host-based and scan-based findings.
Note: Scan report templates now support enhanced capabilities across versions:
- Kernel Live Patch (v5):Provides the ability to exclude Linux kernel CVEs that are already fixed by live patches, reducing false positives and improving visibility into truly actionable vulnerabilities.
- Deep Scan (v6): Discovers vulnerable software and binaries in non-standard locations that traditional scans may miss. This API allows Deep Scan findings to be included in scan report templates.
- CVSS v4.0 Support (v7): Uses enhanced vulnerability scoring for greater precision and context‑aware reporting in API‑driven workflows.
To enable features from earlier versions (v5 and v6) and the current version (v7), if CVSS v4 is not visible in your environment, contact your Technical Account Manager (TAM) or Qualys Support.
Use Asset Tags and Tag Rules Across All Authentication Record APIs
POST – /api/3.0/fo/auth; api/4.0/fo/auth,
DTD or XSD changes: Yes
You can now use asset tags and tag based rules across all authentication record APIs, enabling consistent scoping of authentication records beyond Unix and Windows authentication types.
Previously, tag based scoping was limited to operating system authentication records. You had to manage other authentication types using manually defined IP ranges, making it difficult to scale authentication coverage.
This enhancement is implemented across multiple API versions. This update introduces tag driven scoping across a broader set of authentication technologies. You can now use tag based scoping for authentication records across multiple technologies, including:
API 3.0 for the following:
- Operating System
Unix - Network and security
Cisco
Network SSH
Palo Alto Networks Firewall
SNMP - Applications
- HTTP
JBoss Server
Oracle WebLogic Server
TomcatServer - Databases
IBM DB2
MongoDB
Oracle
Oracle Listener
SAP HANA - VMware
NSX
Vcenter
VMware ESXi
API 4.0 for the following:
- Databases
MySQL
Sybase
This enables you to define authentication scope based on your asset tagging strategy instead of relying on static IP ranges.
Use BeyondTrust Vault with Network SSH Authentication APIs
POST – /api/2.0/fo/auth/network_ssh; /api/3.0/fo/auth/network_ssh
DTD or XSD changes: No
You can now use the BeyondTrust PBPS Digital Vault with Network SSH authentication APIs, enabling you to securely retrieve credentials instead of entering them manually.
Previously, BeyondTrust vault support was not available for Network SSH authentication records (for example, Cisco devices). This required you to manually enter and update passwords, which could lead to authentication failures when credentials were rotated in the vault.
Support for One Identity Safeguard Vault
Vaults API: Manage One Identity Safeguard Vault
GET and POST – /api/3.0/fo/vault/
DTD or XSD changes: No
With this update, you can create, update, delete, and list One Identity Safeguard vaults.
Scan Authentication APIs: Add One Identity Safeguard Vault to Authentication Records
GET and POST – /api/3.0/fo/auth/
DTD or XSD changes: No
With this update, you can create, update, delete, and list authentication technologies with One Identity Safeguard vault. The support for the One Identity Safeguard vault is provided for the following list of authentication technologies:
- Unix
- Windows
- Cisco
- Network SSH
- VMware ESXi
- vCenter
- PaloAlto
- MongoDB
- MySQL
- Oracle
- Sybase
For the MySQL and Sybase authentication technologies, the API version is incremented to V4.0. The API endpoint details and changes for the technology remain the same as given for all the other technologies. The following are the API endpoint details:
GET and POST – /api/4.0/fo/auth/mysql/; /api/4.0/fo/auth/sybase/
DTD or XSD changes: No
With support for One Identity Safeguard Vault, you can now create, update, delete, and view authentication records associated with vault-based credentials.
For more details, please refer to the release notes here: https://docs.qualys.com/en/vm/release-notes/qweb/release_10_39_api.htm