feat(azure): new check sqlserver_vulnerability_assessment_enabled (#3349)

tests/lib/check/check_test.py

@@ -115,6 +115,20 @@ expected_packages = [
         name="prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days.sqlserver_auditing_retention_90_days",
         ispkg=False,
     ),
+    ModuleInfo(
+        module_finder=FileFinder(
+            "/root_dir/prowler/providers/azure/services/sqlserver"
+        ),
+        name="prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled",
+        ispkg=True,
+    ),
+    ModuleInfo(
+        module_finder=FileFinder(
+            "/root_dir/prowler/providers/azure/services/sqlserver/sqlserver_vulnerability_assessment_enabled"
+        ),
+        name="prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled",
+        ispkg=False,
+    ),
 ]
 
 
@@ -208,6 +222,20 @@ def mock_list_modules(*_):
             name="prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days.sqlserver_auditing_retention_90_days",
             ispkg=False,
         ),
+        ModuleInfo(
+            module_finder=FileFinder(
+                "/root_dir/prowler/providers/azure/services/sqlserver"
+            ),
+            name="prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled",
+            ispkg=True,
+        ),
+        ModuleInfo(
+            module_finder=FileFinder(
+                "/root_dir/prowler/providers/azure/services/sqlserver/sqlserver_vulnerability_assessment_enabled"
+            ),
+            name="prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled",
+            ispkg=False,
+        ),
     ]
     return modules
 
@@ -601,6 +629,10 @@ class Test_Check:
                 "sqlserver_auditing_retention_90_days",
                 "/root_dir/prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days",
             ),
+            (
+                "sqlserver_vulnerability_assessment_enabled",
+                "/root_dir/prowler/providers/azure/services/sqlserver/sqlserver_vulnerability_assessment_enabled",
+            ),
         ]
         returned_checks = recover_checks_from_provider(provider, service)
         assert returned_checks == expected_checks

tests/providers/azure/services/sqlserver/sqlserver_auditing_enabled/sqlserver_auditing_enabled_test.py

@@ -8,8 +8,7 @@ from azure.mgmt.sql.models import (
 )
 
 from prowler.providers.azure.services.sqlserver.sqlserver_service import SQL_Server
-
-AZURE_SUSCRIPTION = str(uuid4())
+from tests.providers.azure.azure_fixtures import AZURE_SUSCRIPTION
 
 
 class Test_sqlserver_auditing_enabled:

tests/providers/azure/services/sqlserver/sqlserver_service_test.py

@@ -1,6 +1,10 @@
 from unittest.mock import patch
 
-from azure.mgmt.sql.models import EncryptionProtector, TransparentDataEncryption
+from azure.mgmt.sql.models import (
+    EncryptionProtector,
+    ServerVulnerabilityAssessment,
+    TransparentDataEncryption,
+)
 
 from prowler.providers.azure.services.sqlserver.sqlserver_service import (
     DatabaseServer,
@@ -36,6 +40,9 @@ def mock_sqlserver_get_sql_servers(_):
                     server_key_type="AzureKeyVault"
                 ),
                 databases=[database],
+                vulnerability_assessment=ServerVulnerabilityAssessment(
+                    storage_container_path="/subcription_id/resource_group/sql_server"
+                ),
             )
         ]
     }
@@ -87,6 +94,12 @@ class Test_SqlServer_Service:
             == "EncryptionProtector"
         )
         assert sql_server.sql_servers[AZURE_SUSCRIPTION][0].databases == [database]
+        assert (
+            sql_server.sql_servers[AZURE_SUSCRIPTION][
+                0
+            ].vulnerability_assessment.__class__.__name__
+            == "ServerVulnerabilityAssessment"
+        )
 
     def test__get_databases__(self):
         sql_server = SQLServer(set_mocked_azure_audit_info())
@@ -146,3 +159,19 @@ class Test_SqlServer_Service:
         id = "/subscriptions/subscription_id/resourceGroups/resource_group/providers/Microsoft.Sql/servers/sql_server"
         sql_server = SQLServer(set_mocked_azure_audit_info())
         assert sql_server.__get_resource_group__(id) == "resource_group"
+
+    def test__get_vulnerability_assessment__(self):
+        sql_server = SQLServer(set_mocked_azure_audit_info())
+        storage_container_path = "/subcription_id/resource_group/sql_server"
+        assert (
+            sql_server.sql_servers[AZURE_SUSCRIPTION][
+                0
+            ].vulnerability_assessment.__class__.__name__
+            == "ServerVulnerabilityAssessment"
+        )
+        assert (
+            sql_server.sql_servers[AZURE_SUSCRIPTION][
+                0
+            ].vulnerability_assessment.storage_container_path
+            == storage_container_path
+        )

tests/providers/azure/services/sqlserver/sqlserver_vulnerability_assessment_enabled/sqlserver_vulnerability_assessment_enabled_test.py

@@ -0,0 +1,190 @@
+from unittest import mock
+from uuid import uuid4
+
+from azure.mgmt.sql.models import (
+    EncryptionProtector,
+    ServerVulnerabilityAssessment,
+    TransparentDataEncryption,
+)
+
+from prowler.providers.azure.services.sqlserver.sqlserver_service import (
+    DatabaseServer,
+    SQL_Server,
+)
+
+AZURE_SUSCRIPTION = str(uuid4())
+
+
+class Test_sqlserver_vulnerability_assessment_enabled:
+    def test_no_sql_servers(self):
+        sqlserver_client = mock.MagicMock
+        sqlserver_client.sql_servers = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled.sqlserver_client",
+            new=sqlserver_client,
+        ):
+            from prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled import (
+                sqlserver_vulnerability_assessment_enabled,
+            )
+
+            check = sqlserver_vulnerability_assessment_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_sql_servers_no_vulnerability_assessment(self):
+        sqlserver_client = mock.MagicMock
+        sql_server_name = "SQL Server Name"
+        sql_server_id = str(uuid4())
+        database = DatabaseServer(
+            id="id",
+            name="name",
+            type="type",
+            location="location",
+            managed_by="managed_by",
+            tde_encryption=None,
+        )
+        sqlserver_client.sql_servers = {
+            AZURE_SUSCRIPTION: [
+                SQL_Server(
+                    id=sql_server_id,
+                    name=sql_server_name,
+                    public_network_access="",
+                    minimal_tls_version="",
+                    administrators=None,
+                    auditing_policies=None,
+                    firewall_rules=None,
+                    databases=[database],
+                    encryption_protector=EncryptionProtector(
+                        server_key_type="ServiceManaged"
+                    ),
+                    vulnerability_assessment=None,
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled.sqlserver_client",
+            new=sqlserver_client,
+        ):
+            from prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled import (
+                sqlserver_vulnerability_assessment_enabled,
+            )
+
+            check = sqlserver_vulnerability_assessment_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has vulnerability assessment disabled."
+            )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert result[0].resource_name == sql_server_name
+            assert result[0].resource_id == sql_server_id
+
+    def test_sql_servers_no_vulnerability_assessment_path(self):
+        sqlserver_client = mock.MagicMock
+        sql_server_name = "SQL Server Name"
+        sql_server_id = str(uuid4())
+        database = DatabaseServer(
+            id="id",
+            name="name",
+            type="type",
+            location="location",
+            managed_by="managed_by",
+            tde_encryption=TransparentDataEncryption(status="Disabled"),
+        )
+        sqlserver_client.sql_servers = {
+            AZURE_SUSCRIPTION: [
+                SQL_Server(
+                    id=sql_server_id,
+                    name=sql_server_name,
+                    public_network_access="",
+                    minimal_tls_version="",
+                    administrators=None,
+                    auditing_policies=None,
+                    firewall_rules=None,
+                    databases=[database],
+                    encryption_protector=EncryptionProtector(
+                        server_key_type="AzureKeyVault"
+                    ),
+                    vulnerability_assessment=ServerVulnerabilityAssessment(
+                        storage_container_path=None
+                    ),
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled.sqlserver_client",
+            new=sqlserver_client,
+        ):
+            from prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled import (
+                sqlserver_vulnerability_assessment_enabled,
+            )
+
+            check = sqlserver_vulnerability_assessment_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has vulnerability assessment disabled."
+            )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert result[0].resource_name == sql_server_name
+            assert result[0].resource_id == sql_server_id
+
+    def test_sql_servers_vulnerability_assessment_enabled(self):
+        sqlserver_client = mock.MagicMock
+        sql_server_name = "SQL Server Name"
+        sql_server_id = str(uuid4())
+        database = DatabaseServer(
+            id="id",
+            name="name",
+            type="type",
+            location="location",
+            managed_by="managed_by",
+            tde_encryption=TransparentDataEncryption(status="Enabled"),
+        )
+        sqlserver_client.sql_servers = {
+            AZURE_SUSCRIPTION: [
+                SQL_Server(
+                    id=sql_server_id,
+                    name=sql_server_name,
+                    public_network_access="",
+                    minimal_tls_version="",
+                    administrators=None,
+                    auditing_policies=None,
+                    firewall_rules=None,
+                    databases=[database],
+                    encryption_protector=EncryptionProtector(
+                        server_key_type="AzureKeyVault"
+                    ),
+                    vulnerability_assessment=ServerVulnerabilityAssessment(
+                        storage_container_path="/subcription_id/resource_group/sql_server"
+                    ),
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled.sqlserver_client",
+            new=sqlserver_client,
+        ):
+            from prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled import (
+                sqlserver_vulnerability_assessment_enabled,
+            )
+
+            check = sqlserver_vulnerability_assessment_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has vulnerability assessment enabled."
+            )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert result[0].resource_name == sql_server_name
+            assert result[0].resource_id == sql_server_id