Launch scorecard report

action=launch

(Required)

echo_request={0|1}

(Optional) Specify 1 to view (echo) input parameters in the XML output. By default these are not included.

name={value}

(Required) Specifies the scorecard name for the vulnerability scorecard report that you want to launch with Report Share. This name corresponds to a service-provided scorecard or a user-created scorecard. For a service-provided scorecard, specify one of these names:

Asset Group Vulnerability Report

Ignored Vulnerabilities Report

Most Prevalent Vulnerabilities Report

Most Vulnerable Hosts Report

Patch Report

report_title={value}

(Optional) Specifies a user-defined report title. The title may have a maximum of 128 characters. When unspecified, the report title will be the scorecard name.

output_format={value}

(Required)  Specifies the output format of the report. One output format may be specified. A valid value is: pdf, html (a zip file), mht, xml, or csv.

hide_header={0|1}

(Optional and valid for CSV format only). Specify hide_header=1 to omit the header information from the report. By default this information is included.

pdf_password={value}

(Conditional for Manager or Unit Manager; not valid for other users)

Used for secure PDF report distribution when this feature is enabled in the user's account (under Reports > Setup > Report Share). The password to be used for encryption. The password may have a maximum of 32 characters (ascii). The password cannot match the password for the user’s Qualys login account. The password must follow the password security guidelines defined for the user’s subscription (log into your account and go to Users > Setup > Security).

Conditions:

a) The pdf_password parameter can only be specified by a Manager or Unit Manager.

b) The pdf_password parameter can only be specified when Report Share is enabled for your subscription and the option “Enable Secure PDF Distribution” is selected.

recipient_group={value}

(Conditional for Manager or Unit Manager; not valid for other users)

Used for secure PDF distribution. The report recipients in the form of one or more distribution group names, as defined in your Qualys account. Each distribution group identifies a list of users who will receive the secure PDF report. Multiple distribution groups are comma separated. A maximum of 50 distribution groups may be entered.

Conditions:

a) The recipient_group parameter can only be specified when the pdf_password parameter is also specified.

b) The recipient_group parameter can only be specified by a Manager or Unit Manager.

c) The recipient_group parameter can only be specified when Report Share is enabled for your subscription and the option “Enable Secure PDF Distribution” is selected (Reports > Setup >Report Share).

d) The recipient_group parameter cannot be specified in the same request as recipient_group_id

recipient_group_id={value}

(Optional) The report recipients in the form of one or more distribution group IDs. Multiple distribution group IDs are comma separated. Where do I find this ID? Log in to your Qualys account, go to Users > Distribution Groups and select Info for a group in the list.

Conditions:

a) The recipient_group_id parameter can only be specified when the pdf_password parameter is also specified.

b) The recipient_group_id parameter can only be specified by a Manager or Unit Manager.

c) The recipient_group_id parameter can only be specified when Report Share is enabled for your subscription and the option “Enable Secure PDF Distribution” is selected (Reports > Setup >Report Share).

d) The recipient_group_id parameter cannot be specified in the same request as recipient_group

source={value}

(Conditional) The source asset groups for the report. Specify asset_groups to select asset groups. Specify business_unit to select all the asset groups in a business unit.

For a user scorecard, this parameter is optional. When unspecified, the source selection set in the scorecard attributes (as defined in your Qualys account) is used.

Conditions:

a) The source parameter is required for a service-provided scorecard.

b) For a user scorecard, the source selection specified in the source parameter replaces an existing source selection set in the scorecard attributes (as defined in your Qualys account). If you set this parameter to asset_groups, you must specify one of these parameters: asset_groups or all_asset_groups. If you set this parameter to business_unit then you must specify one or more of these parameters: business_unit, division, function and/or location.

asset_groups={value}

(Conditional) The titles of asset groups to be used as source asset groups for the scorecard report. One or more asset group titles in your account may be specified. Multiple asset group titles are comma separated.

Conditions:

a) The asset_groups parameter can only be specified when source=asset_groups.

b) These parameters cannot be specified for the same API request: asset_groups and all_asset_groups.

all_asset_groups={1}

(Conditional) Set to 1 to select all asset groups available in your account as the source asset groups for the scorecard report.

Conditions:

a) The asset_groups parameter can only be specified when source=asset_groups.

b) These parameters cannot be specified for the same API request: asset_groups and all_asset_groups.

business_unit={value}

(Conditional for a Manager; not valid for other users)

The title of a business unit containing the source asset groups for the scorecard report. All asset groups in the business unit will be included in the report source. You may enter the title of a business unit in your account that was created by a Manager user, or you may enter “Unassigned” for the unassigned business unit.

For a user scorecard, the business unit replaces an existing business unit set in the scorecard attributes (as defined in your Qualys account). If an empty value is set (business_unit=), the existing business unit in the scorecard attributes is not included in the scorecard parameters submitted with the API request.

Conditions:

a) When source=business_unit, one or more of these parameters must be specified: business_unit, division, function and/or location.

b) The business_unit parameter can only be specified by a Manager.

division={value}

(Conditional) A business info tag identifying a division that asset group(s) belong to. The tag must be defined for an asset group in your account. When specified, only asset groups with this tag are included in the scorecard report source.

For a user scorecard, the division tag replaces an existing tag set in the scorecard attributes (as defined in your Qualys account). If an empty value is set (division=), the existing division tag in the scorecard attributes is not included in the scorecard parameters submitted with the API request.

Conditions:

a) When source=business_unit, one or more of these parameters must be specified: business_unit, division, function and/or location.

b) The division parameter can only be specified when source=business_unit.

function={value}

(Conditional) A business info tag identifying a business function for asset group(s). The tag must be defined for an asset group in your account. When specified, only asset groups with this tag are included in the scorecard report source.

For a user scorecard, the function tag replaces an existing function tag set in the scorecard attributes (as defined in your Qualys account). If an empty value is set (function=), the existing function tag in the scorecard attributes is not included in the scorecard parameters submitted with the API request.

Conditions:

a) When source=business_unit, one or more of these parameters must be specified: business_unit, division, function and/or location.

b) The function parameter can only be specified when source=business_unit.

location={value}

(Conditional) A business info tag identifying a location where asset group(s) are located. The tag must be defined for an asset group in your account. When specified, only asset groups with this tag are included in the scorecard report source.

For a user scorecard, the location tag replaces an existing location tag set in the scorecard attributes (as defined in your Qualys account). If an empty value is set (location=), the existing location tag in the scorecard attributes is not included in the scorecard parameters submitted with the API request.

Conditions:

a) When source=business_unit, one or more of these parameters must be specified: business_unit, division, function and/or location.

b) The location parameter can only be specified when source=business_unit.

patch_qids={value}

(Conditional for Patch Report scorecard; not valid for other scorecards)

Up to 10 QIDs for vulnerabilities or potential vulnerabilities with available patches. Multiple QIDs are comma separated. When the QIDs are detected on a host this means the host does not have the patches installed and it will be reported in the scorecard output.

For a user-defined Patch Report, the patch QIDs list replaces the patch QIDs list set in the scorecard attributes (as defined in your Qualys account). If an empty value is set (patch_qids=), the existing patches QIDs list in the scorecard attributes is not included in the scorecard parameters submitted with the API request.

Conditions:

a) The patch_qids parameter may be specified only for a Patch Report.

b) For a Patch Report, patch_qids or missing_qids must be specified. Both parameters may be specified together.

missing_qids={value}

(Conditional for Patch Report scorecard; not valid for other scorecards)

One or two QIDs for missing software. Two QIDs are comma separated. Typically missing software QIDs are information gathered checks. When the QIDs are not detected on a host this means the host is missing software and it will be reported in the scorecard output.

For a user-defined Patch Report, the missing QIDs list replaces the missing QIDs list set in the scorecard attributes (as defined in your Qualys account). If an empty value is set (missing_qids=), the existing missing QIDs list in the scorecard attributes is not included in the scorecard parameters submitted with the API request.

Conditions:

a) The missing_qids parameter may be specified only for a Patch Report.

b) For a Patch Report, patch_qids or missing_qids must be specified. Both parameters may be specified together.