...
In short, the XML content on which the Platform relies (when processing vulnerabilities) doesn’t include the CVSS Vector string for an vulnerabilities.
Rootshell Security The platform team have confirmed this during various tests when building the Qualys XML parser and conclude that the following XML report types lack the necessary CVSS Vector string information:
...
The Qualys VM API does provide additional vulnerability metadata including the CVSS Vector, the CVSS Score and the CVE ID.
So where possible, Rootshell the platform team recommend using the Platform’s API-based integration with Qualys VM to retrieve a more comprehensive set of metadata for imported vulnerabilities