I'm currently working in a project to integrate a system I've developed with Qualys with the API 2.0.
While I was running some tests with the Host Detection API I got stuck in this situation:
I ran a script which called the API, downloaded ALL DATA from hosts and its detections and stored them in my database. Then I noticed that there were no "Fixed" vulnerabilities in my results. I checked the API's documentation and found out that in order to get Fixed Vulnerabilities information I must provide the parameter "status=Fixed" in the url. OK then, I called the API twice again, one time with "status=Fixed" and one time with "status=Active,New,Re-Opened,Fixed".
Guess what: None of them returned any fixed vulnerabilities.
So I went to the web UI and check if everything was okay. By going to Assets > Host Assets and clicking on the "Info" button for a few hosts I was able to see their lists of vulnerabilities and remediation tickets and this is what I found in ALL HOSTS:
All of them show 0 Vulnerabilities fixed. ALL HOSTS IN THE SUBSCRIPTION (which are 1500+).
And each host has plenty of remediation tickets with the status of Closed/Fixed (and I'm 100% sure that there were no authentication failures or any problem that could prevent the scanner from detecting a vulnerability as Fixed).
At this moment, I have 170000+ Remediation Tickets with the status of "Closed/Fixed".
So, the question is: Why do all hosts show no vulnerabilities marked as Fixed though I have so many remediation tickets closed/fixed? Is there any feature I must enable? Is this a bug of Qualys? Should I open a case for this?