Is there a way to know if Qualys matches the CVEs to superseded/non-superseded patches?
The patch report template can be imported to your account directly from Qualys. Hopefully you can see how to do this but you can import the Template from Qualys directly then modify.
I believe there is an outstanding FR on this. Have you run a patch report to see?
Is there any specific template to run for finding this out?
Here's the thing and you all need to be aware, patch supercedence works best for Microsoft OS Patches.
If you start adding filters to a report with Exclude Superceded Patches enabled, you will break the supercedence chain on the backend and the results will not be reliable.
As a security professional, I believe in transparency so my recommendation and personal preference is to NOT exclude NRKs, superceded patches, etc...from executive reporting. But that's me - my argument is whether or not there's a superceded patch, it is still a missing patch, and the vulnerability is still exploitable...
Retrieving data ...