The patches listed in the Patch Management patch catalog are the ones missing on your hosts which were detected using the Patch Management scan.
Patches tab lists two types of patches:
1) Qualys Patchable - Qualys Patchable are the patches that can be installed using Patch Management. Most of the patches listed on the Patches tab are Qualys Patchable.
2) AcquireFromVendor - We have certain patches which are listed under the Patches tab but cannot be installed using Patch Management. These patches are marked as "AcquireFromVendor" which means you need to manually download these patches from the vendor website and install them on the host. See Download Patches from a Vendor Site.
Patches which are not marked as "AcquireFromVendor" are defined as "Qualys Patchable" which mean they can be added to a patch job.
Default or custom assessment profile scans the assets for missing and installed patches at regular intervals. This information is then displayed in the patches tab in the form of missing or installed patches.
Note that patches are linked to QIDs using CVE IDs. The QID for a patch is not shown if the QID is not linked to a CVE ID. CVE ID is the common point of linking and required to link the patch with the QID.
Alternatively, you can go to the Assets tab to view missing and installed patches on particular assets.
Step by step search tutorial