AnsweredAssumed Answered

search/was/finding api confusion

Question asked by wkolatac on Oct 15, 2018
Latest reply on Oct 23, 2018 by wkolatac

Hi -

I'm using the search/was/finding api to get details on QID 15009 Links Crawled section of scan reports for all my web app configs (there are hundreds).  I'm using the following xml:

<ServiceRequest>

<filters>
<Criteria field="type" operator="EQUALS">INFORMATION_GATHERED</Criteria>
<Criteria field="qid" operator="EQUALS">150009</Criteria>
</filters>
</ServiceRequest>

 

This seems to return a Finding block for each web app config, showing the details for the most recent scan:

<Finding>
<id>58498</id>
<qid>150009</qid>
<name><![CDATA[Links Crawled]]></name>
<type>INFORMATION_GATHERED</type>
<findingType>QUALYS</findingType>
<severity>1</severity>
<firstDetectedDate>2012-03-08T00:34:39Z</firstDetectedDate>
<lastDetectedDate>2018-10-06T05:58:47Z</lastDetectedDate>
<lastTestedDate>2018-10-06T05:58:47Z</lastTestedDate>
<webApp>
<id>#####</id>
<name><![CDATA[xxxxx]]></name>
<url><![CDATA[http://xxxxx]]></url>
</webApp>
</Finding>
</data>

 

This is actually what I need but not what I was expecting.  I was expecting to get a Findings section for each scan within a web app config (i.e multiple scan dates).  And then I was planning on parsing through those details to find the latest scan.  This reason I was expecting this is based on my previous experience with this api.

For another requirement, i use the same api with this xml:

<ServiceRequest>

<filters>

<Criteria operator="GREATER" field="severity">3</Criteria>

<Criteria operator="EQUALS" field="type">VULNERABILITY</Criteria>

<Criteria operator="NOT EQUALS" field="status">FIXED</Criteria>

<Criteria operator="GREATER" field="id">####</Criteria>

<Criteria operator="NOT EQUALS" field="ignoredReason">FALSE_POSITIVE</Criteria>

<Criteria operator="NOT EQUALS" field="ignoredReason">RISK_ACCEPTED</Criteria>

<Criteria operator="NOT EQUALS" field="ignoredReason">NOT_APPLICABLE</Criteria>

</filters>

</ServiceRequest>

When I use this xml, I get all severity 4/5 vulnerabilities that have not been fixed but the listing shows details for multiple scan dates, not just the latest (which is actually what I would like).  In this case, I have to parse through the output to figure out which vulnerabilities are from the most recent scan.

 

My confusion ... why does the first xml example return data for only the latest scan while the second returns data for all the scans?

Your help is appreciated.

Outcomes