The patch list under Patch Management patch catalog are the ones missing on the host which were detected using the Patch Management scan. On the Patches tab, we list two types of patches 1) Qualys Patchable and 2) AcquireFromVendor.
Qualys Patchable are the patches that can be installed using Patch Management. Most of the patches listed on the Patches tab are Qualys Patchable.
We have certain patches which are listed under Patches tab but cannot be installed using Patch Management. These patch are marked as "AcquireFromVendor" which means you need to manually download the patch from vendor website and install them on the host. See Download Patches from a Vendor Site.
Patches which are not marked as "AcquireFromVendor" are defined as "Qualys Patchable" which mean they can be added to a patch job.
Default or custom assessment profile scans the assets for missing and installed patches at regular intervals. This information is then displayed in the patches tab in the form of missing or installed patches.
Note that patches are linked to QIDs using CVE IDs. The QID for a patch is not shown if the QID is not linked to a CVE ID. CVE ID is the common point of linking and required to link the patch with the QID.
Alternatively, you can go to the Assets tab to view missing and installed patches on particular assets.
Step by step search tutorial