chore: notice for aws/aws-cdk#25674 (#210)

Since there are two separate problems, introduced in two separate commits, issue two notices based on the affeceted versions. Note that we have no way of knowing if customers are actually impacted by the default masters role because we don't know if they pass the `mastersRole` property or not.
cdklabs · May 23, 2023 · e1bcd21 · e1bcd21
1 parent 2b001ec
commit e1bcd21
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 1 deletion.
diff --git a/data/notices.json b/data/notices.json
@@ -207,6 +207,46 @@
         }
       ],
       "schemaVersion": "1"
+    },
+    {
+      "title": "(eks) eks overly permissive trust policies",
+      "issueNumber": 25674,
+      "overview": "The default MastersRole allows any identity in the account with the appropriate sts:AssumeRole permissions to assume it.",
+      "components": [
+        {
+          "name": "@aws-cdk/aws-eks.Cluster",
+          "version": ">=1.57.0 <1.62.0"
+        },
+        {
+          "name": "@aws-cdk/aws-eks.FargateCluster",
+          "version": ">=1.57.0 <1.62.0"
+        }
+      ],
+      "schemaVersion": "1"
+    },
+    {
+      "title": "(eks) eks overly permissive trust policies",
+      "issueNumber": 25674,
+      "overview": "Cluster CreationRole and default MastersRole allows any identity in the account with the appropriate sts:AssumeRole permissions to assume it.",
+      "components": [
+        {
+          "name": "@aws-cdk/aws-eks.Cluster",
+          "version": ">=1.62.0 <1.202.0"
+        },
+        {
+          "name": "@aws-cdk/aws-eks.FargateCluster",
+          "version": ">=1.62.0 <1.202.0"
+        },
+        {
+          "name": "aws-cdk-lib.aws_eks.Cluster",
+          "version": ">=2.0.0-rc.1 <2.80.0"
+        },
+        {
+          "name": "aws-cdk-lib.aws_eks.FargateCluster",
+          "version": ">=2.0.0-rc.1 <2.80.0"
+        }
+      ],
+      "schemaVersion": "1"
     }
   ]
 }
diff --git a/test/schema.test.ts b/test/schema.test.ts
@@ -40,7 +40,8 @@ describe('Notices file is valid', () => {
       test('v2 version ranges must be bounded at the bottom', () => {
         for (const component of notice.components) {
           if (component.version === '1.*') { continue; } // Special range that we allow
-          if (semver.intersects(component.version, '2') && !semver.subset(component.version, '2')) {
+          if (semver.intersects(component.version, '2', { includePrerelease: true })
+          && !semver.subset(component.version, '2', { includePrerelease: true })) {
             throw new Error(`${component.version} should have an upper bound in v1 range, or a lower bound in v2 range (version should look like "^2.3.4 <2.5.6")`);
           }
         }