datadog-agent-7.73/7.73.3-r0: cve remediation

[octo-sts]

datadog-agent-7.73/7.73.3-r0: fix GHSA-xrwg-mqj6-6m22

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/datadog-agent-7.73.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/DataDog/[email protected]

[octo-sts]

🔢 Build Failed: Dependency Version Mismatch

go: github.com/envoyproxy/[email protected] requires [email protected], but 1.24.7 is requested

Build Details

Category	Details
Build System	Go
Failure Point	go mod tidy command during go/bump step

Root Cause Analysis 🔍

Version mismatch between the Go version being used (1.24.7) and the minimum Go version required by the github.com/envoyproxy/[email protected] dependency (1.24.11). The gobump tool attempted to update dependencies but failed because the available Go runtime version is older than what the dependency requires.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• fix(datadog-agent): add embedded python home path for bugfix-2473 #65603

Suggested Changes

File: datadog-agent-7.73.yaml

• modify at line 69 (environment.contents.packages section)
  Original:

      - go-1.24

Replacement:

      - go-1.25

Content:

Change the Go package dependency from go-1.24 to go-1.25 to provide Go version 1.25.x which will satisfy the minimum requirement of 1.24.11

• modify at line 125 (go/bump step)
  Original:

      go-version: "1.24.7" # package built w/ go-1.24 - keeps tidy at 1.24.7, otherwise go mod tidy fails

Replacement:

      go-version: "1.25" # package built w/ go-1.25 - updated to satisfy github.com/envoyproxy/[email protected] requirement

Content:

Update the explicit go-version parameter in the go/bump step to use Go 1.25 instead of 1.24.7

Click to expand fix analysis

Analysis

The pattern across all three similar fixes shows that Go version mismatches are consistently resolved by upgrading the Go version in the build environment. Fix #0 added "go~1.24" to packages, Fix #1 upgraded from "go-fips-1.24" to "go-fips-1.25", and Fix #2 explicitly set "go-version: 1.24.7" in the go/bump step. The current error requires Go 1.24.11 but only has 1.24.7 available, indicating the build environment needs to use a newer Go version that satisfies the dependency requirement.

Click to expand fix explanation

Explanation

This fix addresses the root cause by upgrading the Go version from 1.24 to 1.25 in two critical places. The github.com/envoyproxy/[email protected] dependency requires Go 1.24.11 minimum, but the current build environment only provides Go 1.24.7. By upgrading to go-1.25 package and updating the go-version parameter to "1.25", we ensure the build environment has a Go version (1.25.x) that satisfies the dependency requirement. This follows the exact pattern seen in Fix #1 where go-fips-1.24 was upgraded to go-fips-1.25 to resolve a similar version compatibility issue. The comment update also reflects the reasoning behind the change, similar to how Fix #2 included explanatory comments.

Click to expand alternative approaches

Alternative Approaches

• Could downgrade the github.com/envoyproxy/gateway dependency to an older version that supports Go 1.24.7, but this would conflict with Wolfi's principle of keeping packages up to date with latest upstream versions
• Could use a more specific Go version like go-1.24.11 if such a package exists, but go-1.25 provides better future compatibility
• Could modify the go.mod file to lower the minimum Go version requirement, but this might introduce compatibility issues and is not a sustainable solution

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.