id: azure-sql-va-emails-unconfigured
info:
  name: Azure SQL Classic VA Emails Unconfigured
  author: princechaddha
  severity: medium
  description: |
    Ensure that your Amazon SQL database servers are configured with the email addresses of the concerned data owners, admins or stakeholders in order to receive Vulnerability Assessment (VA) scan reports and alerts for critical events. This setting is only available for SQL servers using the classic SQL Vulnerability Assessment configuration. For new, express configuration, email notifications are enabled by default and cannot be customized.
  impact: |
    Lack of email notifications for VA scans means critical alerts and reports are not reaching the responsible parties, potentially delaying the response to vulnerabilities.
  remediation: |
    Configure the email addresses for vulnerability assessment notifications in your SQL server settings to ensure alerts and reports are received by the appropriate stakeholders.
  reference:
    - https://docs.microsoft.com/en-us/azure/azure-sql/database/security-overview
  tags: cloud,devops,azure,microsoft,sql-server,azure-cloud-config

flow: |
  code(1);
  for (let ServerData of iterate(template.serverList)) {
    ServerData = JSON.parse(ServerData);
    set("name", ServerData.ServerName);
    set("resourceGroup", ServerData.ResourceGroupName);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az sql server list --query "[].{ServerName:name, ResourceGroupName:resourceGroup}" --output json

    extractors:
      - type: json
        name: serverList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az sql va config show --server "$name" --resource-group "$resourceGroup" --query "{StorageAccountName: storageAccount, NotificationEmails: emailAdmins}" --output json

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"emails": []'

    extractors:
      - type: dsl
        dsl:
          - 'name + " in " + resourceGroup + " has no emails configured for VA notifications"'
# digest: 4b0a004830460221008ce6b22fc06706a1d680dcc8164da03df62b4ac1eb9e00c7911f68224aebf2f3022100f1fcfa2490e18cfc843fa61261472ab6a3438ee760e0619c6b5617d289ded336:922c64590222798bb761d5b6d8e72950