revert datadog to 7.56.2 and fix cves (#29528)

the upgrade to 7.57.x broke functionality. while we figure out the root cause this PR rolls back to the last known good state with patched CVEs --------- Signed-off-by: Josh Wolf <[email protected]> Co-authored-by: Dimitri John Ledkov <[email protected]>
wolfi-dev · Oct 2, 2024 · 23bd6b6 · 23bd6b6
1 parent fc369e1
commit 23bd6b6
Show file tree

Hide file tree

Showing 3 changed files with 103 additions and 41 deletions.
diff --git a/datadog-agent.yaml b/datadog-agent.yaml
@@ -1,7 +1,7 @@
 package:
   name: datadog-agent
-  version: 7.57.2
-  epoch: 0
+  version: 7.56.2
+  epoch: 3
   description: "Collect events and metrics from your hosts that send data to Datadog."
   copyright:
     - license: Apache-2.0
@@ -70,7 +70,7 @@ pipeline:
     with:
       repository: https://github.com/DataDog/datadog-agent
       tag: ${{package.version}}
-      expected-commit: 38ba0c7858eab5c07d8818f084fc6abdb99e6c51
+      expected-commit: 62e8ff2a69c07e2b863e22a5e2d33c3d4a9121c1
 
   # Install `invoke` (build) dependencies. We ultimately package with venv so
   # these won't leak into the package.
@@ -250,7 +250,7 @@ subpackages:
             with:
               repository: https://github.com/DataDog/integrations-core
               tag: ${{package.version}}
-              expected-commit: d176ce0f74930eea4ddf66325a95e7da9d7fb9e1 # needs to be updated with each new release
+              expected-commit: 84ce175663bf770b04317e54a895547cf20c2700 # needs to be updated with each new release
           - uses: patch
             with:
               patches: /home/build/cve-fixes.patch
@@ -415,8 +415,9 @@ test:
   environment:
     contents:
       packages:
-        - datadog-agent-fakeintake
-        - datadog-agent-core-integrations
+        - datadog-agent=${{package.full-version}}
+        - datadog-agent-fakeintake=${{package.full-version}}
+        - datadog-agent-core-integrations=${{package.full-version}}
     environment:
       PYTHONPATH: "/usr/share/datadog-agent/lib/python3.11/site-packages"
   pipeline:
@@ -432,6 +433,7 @@ test:
 
         export DD_HOSTNAME_FILE=/etc/hostname
         agent check uptime
+        agent check disk
     - name: Validate multicall components are correctly linked
       runs: |
         trace-agent version | grep trace-agent

diff --git a/datadog-agent/cve-fixes.patch b/datadog-agent/cve-fixes.patch
@@ -1,39 +1,91 @@
-diff --git a/datadog_checks_dev/pyproject.toml b/datadog_checks_dev/pyproject.toml
-index 66a79ce6bf..fee3a83f18 100644
---- a/datadog_checks_dev/pyproject.toml
-+++ b/datadog_checks_dev/pyproject.toml
-@@ -79,7 +79,7 @@ cli = [
-     "pip-tools",
-     "pathspec>=0.10.0",
-     "platformdirs>=2.0.0a3",
--    "pydantic>=2.0.2",
-+    "pydantic>=2.4.0",
-     "pysmi==0.3.4",
-     "securesystemslib[crypto]==0.28.0",
-     "semver>=2.13.0",
-diff --git a/mysql/hatch.toml b/mysql/hatch.toml
-index 7361c558b8..c2eaf18b33 100644
---- a/mysql/hatch.toml
-+++ b/mysql/hatch.toml
-@@ -10,7 +10,7 @@ mypy-args = [
- mypy-deps = [
-   "types-cachetools==0.1.10",
-   "types-enum34==1.1.1",
--  "types-pymysql==1.1.0.1",
-+  "types-pymysql==1.1.1.1",
- ]
+From 1aa77a00080fab8589c3da00d173c5d3e952f8a8 Mon Sep 17 00:00:00 2001
+From: Josh Wolf <[email protected]>
+Date: Fri, 27 Sep 2024 08:52:24 -0400
+Subject: [PATCH] cve fixes
+
+Signed-off-by: Josh Wolf <[email protected]>
+---
+ cisco_aci/pyproject.toml           | 2 +-
+ datadog_checks_base/pyproject.toml | 4 ++--
+ http_check/pyproject.toml          | 2 +-
+ mysql/pyproject.toml               | 2 +-
+ tls/pyproject.toml                 | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
 
- [[envs.default.matrix]]
-diff --git a/singlestore/hatch.toml b/singlestore/hatch.toml
-index 3a56775cbf..e706f41b58 100644
---- a/singlestore/hatch.toml
-+++ b/singlestore/hatch.toml
-@@ -9,7 +9,7 @@ mypy-args = [
-     "datadog_checks/singlestore",
+diff --git a/cisco_aci/pyproject.toml b/cisco_aci/pyproject.toml
+index 4893a4850e..077bb85b17 100644
+--- a/cisco_aci/pyproject.toml
++++ b/cisco_aci/pyproject.toml
+@@ -40,7 +40,7 @@ license = "BSD-3-Clause"
+ [project.optional-dependencies]
+ deps = [
+     "cryptography==3.3.2; python_version < '3.0'",
+-    "cryptography==42.0.8; python_version > '3.0'",
++    "cryptography==43.0.1; python_version > '3.0'",
+ ]
+
+ [project.urls]
+diff --git a/datadog_checks_base/pyproject.toml b/datadog_checks_base/pyproject.toml
+index 3ee4c3e3de..e7054a714d 100644
+--- a/datadog_checks_base/pyproject.toml
++++ b/datadog_checks_base/pyproject.toml
+@@ -43,7 +43,7 @@ deps = [
+     "cachetools==5.3.3; python_version > '3.0'",
+     "contextlib2==0.6.0.post1; python_version < '3.0'",
+     "cryptography==3.3.2; python_version < '3.0'",
+-    "cryptography==42.0.8; python_version > '3.0'",
++    "cryptography==43.0.1; python_version > '3.0'",
+     "ddtrace==0.32.2; sys_platform == 'win32' and python_version < '3.0'",
+     "ddtrace==0.53.2; sys_platform != 'win32' and python_version < '3.0'",
+     "ddtrace==1.11.2; python_version > '3.0'",
+@@ -81,7 +81,7 @@ http = [
+     "oauthlib==3.2.2; python_version > '3.0'",
+     "pyjwt==1.7.1; python_version < '3.0'",
+     "pyjwt==2.8.0; python_version > '3.0'",
+-    "pyopenssl==24.1.0; python_version > '3.0'",
++    "pyopenssl==24.2.1; python_version > '3.0'",
+     "pysocks==1.7.1",
+     "requests-kerberos==0.12.0; python_version < '3.0'",
+     "requests-kerberos==0.15.0; python_version > '3.0'",
+diff --git a/http_check/pyproject.toml b/http_check/pyproject.toml
+index 35aa653af4..82d16762ba 100644
+--- a/http_check/pyproject.toml
++++ b/http_check/pyproject.toml
+@@ -40,7 +40,7 @@ license = "BSD-3-Clause"
+ [project.optional-dependencies]
+ deps = [
+     "cryptography==3.3.2; python_version < '3.0'",
+-    "cryptography==42.0.8; python_version > '3.0'",
++    "cryptography==43.0.1; python_version > '3.0'",
+     "requests-ntlm==1.1.0; python_version < '3.0'",
+     "requests-ntlm==1.3.0; python_version > '3.0'",
  ]
- mypy-deps = [
--  "types-PyMySQL==1.1.0.1",
-+  "types-PyMySQL==1.1.1.1",
+diff --git a/mysql/pyproject.toml b/mysql/pyproject.toml
+index ba844ee66e..f63812a5c3 100644
+--- a/mysql/pyproject.toml
++++ b/mysql/pyproject.toml
+@@ -40,7 +40,7 @@ deps = [
+     "cachetools==3.1.1; python_version < '3.0'",
+     "cachetools==5.3.3; python_version > '3.0'",
+     "cryptography==3.3.2; python_version < '3.0'",
+-    "cryptography==42.0.8; python_version > '3.0'",
++    "cryptography==43.0.1; python_version > '3.0'",
+     "pymysql==0.10.1; python_version < '3.0'",
+     "pymysql==1.1.1; python_version > '3.0'",
  ]
+diff --git a/tls/pyproject.toml b/tls/pyproject.toml
+index 91f127543a..5d07b2840f 100644
+--- a/tls/pyproject.toml
++++ b/tls/pyproject.toml
+@@ -40,7 +40,7 @@ license = "BSD-3-Clause"
+ [project.optional-dependencies]
+ deps = [
+     "cryptography==3.3.2; python_version < '3.0'",
+-    "cryptography==42.0.8; python_version > '3.0'",
++    "cryptography==43.0.1; python_version > '3.0'",
+     "ipaddress==1.0.23; python_version < '3.0'",
+     "service-identity[idna]==21.1.0; python_version < '3.0'",
+     "service-identity[idna]==24.1.0; python_version > '3.0'",
+-- 
+2.46.2
 
- [[envs.default.matrix]]
diff --git a/withdrawn-packages.txt b/withdrawn-packages.txt
@@ -16,3 +16,11 @@ py3.13-setuptools-75.1.0-r1.apk
 py3.12-setuptools-75.1.0-r1.apk
 py3.11-setuptools-75.1.0-r1.apk
 py3.10-setuptools-75.1.0-r1.apk
+datadog-agent-7.57.2-r0.apk
+datadog-agent-core-integrations-7.57.2-r0.apk
+datadog-agent-fakeintake-7.57.2-r0.apk
+datadog-agent-jmx-7.57.2-r0.apk
+datadog-agent-oci-compat-7.57.2-r0.apk
+datadog-agent-s6-overlay-7.57.2-r0.apk
+datadog-cluster-agent-7.57.2-r0.apk
+datadog-cluster-agent-oci-compat-7.57.2-r0.apk