AnsweredAssumed Answered

Automatic Data, Remediation Tickets and Fixed Vulnerabilities

Question asked by Abner Almeida on Jun 12, 2017

Hello, guys


I'm currently working in a project to integrate a system I've developed with Qualys with the API 2.0.

While I was running some tests with the Host Detection API I got stuck in this situation:

I ran a script which called the API, downloaded ALL DATA from hosts and its detections and stored them in my database. Then I noticed that there were no "Fixed" vulnerabilities in my results. I checked the API's documentation and found out that in order to get Fixed Vulnerabilities information I must provide the parameter "status=Fixed" in the url. OK then, I called the API twice again, one time with "status=Fixed" and one time with "status=Active,New,Re-Opened,Fixed".

Guess what: None of them returned any fixed vulnerabilities.


So I went to the web UI and check if everything was okay. By going to Assets > Host Assets and clicking on the "Info" button for a few hosts I was able to see their lists of vulnerabilities and remediation tickets and this is what I found in ALL HOSTS:


All of them show 0 Vulnerabilities fixed. ALL HOSTS IN THE SUBSCRIPTION (which are 1500+).


And each host has plenty of remediation tickets with the status of Closed/Fixed (and I'm 100% sure that there were no authentication failures or any problem that could prevent the scanner from detecting a vulnerability as Fixed).

At this moment, I have 170000+ Remediation Tickets with the status of "Closed/Fixed".


So, the question is: Why do all hosts show no vulnerabilities marked as Fixed though I have so many remediation tickets closed/fixed? Is there any feature I must enable? Is this a bug of Qualys? Should I open a case for this?