Skip to content
Home » SQL Vulnerability Assessment Tool Reference List – Updated!

SQL Vulnerability Assessment Tool Reference List – Updated!

Way back at January 16, 2020, I published a blog post containing a reference list for the many rules checked by the SQL Vulnerability Assessment Tool. The next month, I created a separate, dedicated page for the reference list so that it’d be easier to find and maintain. Today I learned that a few months later, around the beginning of May, Microsoft themselves have also published such a reference list on the Microsoft Docs page.

Microsoft’s version appears to be specifically under the Azure SQL Database section of the documentation. And while it’s more up-to-date compared to the reference list that I published on January and February, it contains less details than what I provide in my version.

Specifically, Microsoft’s version does not contain the “Rationale“, the “Query“, and the “Remediation” sections of the assessment rules, which may provide additional insightful information.

I have also noticed that different sets of rules are evaluated, depending on whether your assessment target is a SQL Server instance (IaaS, on-prem or VM), Azure SQL DB, a SQL Managed Instance, or an Azure Synapse Analytics server (a.k.a. Azure SQL DW). Microsoft’s reference list has a “Platform” column, specifying for each rule the platform types where it can be evaluated.

So, I’ve set out to update my own rules reference list with the missing information:

  • I executed a vulnerability assessment scan on a database in each platform type:
    • SQL Server VM
    • Azure SQL Database
    • Azure SQL Managed Instance
    • Azure Synapse Analytics
  • Building on top of the T-SQL script I used last time, I created a new version which can query from a list of assessment files (instead of just one) where each file represents a certain platform.
  • Sprinkle some MERGE magic on the results, specifying for each rule the relevant platforms where it was evaluated.
  • Place in the oven for a few moments.
  • And voila! I got myself a brand new reference list, containing the complete set of information.

I have updated the SQL Vulnerability Assessment Tool Rules Reference List and it now contains all rules, and all platforms, in a (hopefully) easily digestible format that can be easily referenced from wherever.

Click here to view the updated Rules Reference List

Ideally, I would’ve preferred to implement this reference page using a “data table” control, which would be a better user experience, allowing for dynamic filtering and sorting based on user input… But apparently it requires a WordPress plugin, which in turn requires premium membership.

That’s a bit of an overkill in my opinion, having to pay for premium membership just because of one plugin which, let’s be honest, isn’t really a must here.

So, we’ll make do with what we got. I believe it’s more than good enough at this point.

1 thought on “SQL Vulnerability Assessment Tool Reference List – Updated!”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.