GEODE-10565: Jackson upgrade due to security vulnerabilities (#7990)

* jackson upgrade

* Update integration test resources for dependency classpath and bundled jars: remove byte-buddy, update snakeyaml to 2.3

* Fix integration test snapshots: remove snakeyaml-2.2, add logback jars

* Fix integration test snapshot: remove incorrect logback entries

Author: JinwooHwang

boms/geode-all-bom/src/test/resources/expected-pom.xml

@@ -470,27 +470,27 @@
       <dependency>
         <groupId>com.fasterxml.jackson.core</groupId>
         <artifactId>jackson-annotations</artifactId>
-        <version>2.17.0</version>
+        <version>2.18.6</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.core</groupId>
         <artifactId>jackson-core</artifactId>
-        <version>2.17.0</version>
+        <version>2.18.6</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.core</groupId>
         <artifactId>jackson-databind</artifactId>
-        <version>2.17.0</version>
+        <version>2.18.6</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.datatype</groupId>
         <artifactId>jackson-datatype-joda</artifactId>
-        <version>2.17.0</version>
+        <version>2.18.6</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.datatype</groupId>
         <artifactId>jackson-datatype-jsr310</artifactId>
-        <version>2.17.0</version>
+        <version>2.18.6</version>
       </dependency>
       <dependency>
         <groupId>com.jayway.jsonpath</groupId>

build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy

@@ -53,8 +53,8 @@ class DependencyConstraints {
     deps.put("slf4j-api.version", "2.0.17")
     deps.put("jakarta.transaction-api.version", "2.0.1")
     deps.put("jboss-modules.version", "1.11.0.Final")
-    deps.put("jackson.version", "2.17.0")
-    deps.put("jackson.databind.version", "2.17.0")
+    deps.put("jackson.version", "2.18.6")
+    deps.put("jackson.databind.version", "2.18.6")
     // Spring Framework 6.x Migration
     deps.put("springshell.version", "3.3.3")
     deps.put("springframework.version", "6.1.14")

geode-assembly/src/integrationTest/resources/assembly_content.txt

@@ -923,7 +923,6 @@ lib/antlr-runtime-3.5.2.jar
 lib/asm-9.8.jar
 lib/asm-commons-9.8.jar
 lib/asm-tree-9.8.jar
-lib/byte-buddy-1.14.9.jar
 lib/classgraph-4.8.147.jar
 lib/classmate-1.5.1.jar
 lib/commons-beanutils-1.11.0.jar
@@ -964,12 +963,12 @@ lib/httpclient5-5.4.4.jar
 lib/httpcore5-5.3.4.jar
 lib/httpcore5-h2-5.3.4.jar
 lib/istack-commons-runtime-4.1.1.jar
-lib/jackson-annotations-2.17.0.jar
-lib/jackson-core-2.17.0.jar
-lib/jackson-databind-2.17.0.jar
-lib/jackson-dataformat-yaml-2.17.0.jar
-lib/jackson-datatype-joda-2.17.0.jar
-lib/jackson-datatype-jsr310-2.17.0.jar
+lib/jackson-annotations-2.18.6.jar
+lib/jackson-core-2.18.6.jar
+lib/jackson-databind-2.18.6.jar
+lib/jackson-dataformat-yaml-2.18.6.jar
+lib/jackson-datatype-joda-2.18.6.jar
+lib/jackson-datatype-jsr310-2.18.6.jar
 lib/jakarta.activation-api-2.1.3.jar
 lib/jakarta.annotation-api-2.1.1.jar
 lib/jakarta.el-api-5.0.0.jar
@@ -1042,7 +1041,7 @@ lib/shiro-crypto-hash-1.13.0.jar
 lib/shiro-event-1.13.0.jar
 lib/shiro-lang-1.13.0.jar
 lib/slf4j-api-2.0.17.jar
-lib/snakeyaml-2.2.jar
+lib/snakeyaml-2.3.jar
 lib/snappy-0.5.jar
 lib/spring-aop-6.1.14.jar
 lib/spring-beans-6.1.14.jar

geode-assembly/src/integrationTest/resources/expected_jars.txt

@@ -9,7 +9,6 @@ antlr-runtime
 asm
 asm-commons
 asm-tree
-byte-buddy
 classgraph
 classmate
 commons-beanutils

geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt

@@ -21,12 +21,12 @@ spring-shell-starter-3.3.3.jar
 spring-web-6.1.14.jar
 commons-lang3-3.18.0.jar
 rmiio-2.1.2.jar
-jackson-datatype-jsr310-2.17.0.jar
-jackson-datatype-joda-2.17.0.jar
-jackson-annotations-2.17.0.jar
-jackson-core-2.17.0.jar
-jackson-dataformat-yaml-2.17.0.jar
-jackson-databind-2.17.0.jar
+jackson-datatype-joda-2.18.6.jar
+jackson-annotations-2.18.6.jar
+jackson-dataformat-yaml-2.18.6.jar
+jackson-core-2.18.6.jar
+jackson-datatype-jsr310-2.18.6.jar
+jackson-databind-2.18.6.jar
 swagger-annotations-2.2.22.jar
 jaxb-runtime-4.0.2.jar
 jaxb-core-4.0.2.jar
@@ -113,12 +113,10 @@ jul-to-slf4j-2.0.16.jar
 jetty-jndi-12.0.27.jar
 jetty-util-12.0.27.jar
 slf4j-api-2.0.17.jar
-byte-buddy-1.14.9.jar
 micrometer-observation-1.14.0.jar
 spring-jcl-6.1.14.jar
 micrometer-commons-1.14.0.jar
 LatencyUtils-2.0.3.jar
-snakeyaml-2.2.jar
 reactor-core-3.6.10.jar
 jline-console-3.26.3.jar
 jline-builtins-3.26.3.jar
@@ -127,6 +125,7 @@ jline-style-3.26.3.jar
 jline-terminal-3.26.3.jar
 ST4-4.3.3.jar
 txw2-4.0.2.jar
+snakeyaml-2.3.jar
 asm-commons-9.8.jar
 asm-tree-9.8.jar
 asm-9.8.jar

geode-server-all/src/integrationTest/resources/dependency_classpath.txt

@@ -19,12 +19,12 @@ geode-unsafe-0.0.0.jar
 geode-deployment-legacy-0.0.0.jar
 snappy-0.5.jar
 swagger-annotations-2.2.22.jar
-jackson-datatype-jsr310-2.17.0.jar
-jackson-annotations-2.17.0.jar
-jackson-dataformat-yaml-2.17.0.jar
-jackson-core-2.17.0.jar
-jackson-datatype-joda-2.17.0.jar
-jackson-databind-2.17.0.jar
+jackson-datatype-jsr310-2.18.6.jar
+jackson-annotations-2.18.6.jar
+jackson-dataformat-yaml-2.18.6.jar
+jackson-core-2.18.6.jar
+jackson-datatype-joda-2.18.6.jar
+jackson-databind-2.18.6.jar
 httpclient5-5.4.4.jar
 httpcore5-h2-5.3.4.jar
 httpcore5-5.3.4.jar
@@ -116,8 +116,6 @@ slf4j-api-2.0.17.jar
 micrometer-observation-1.14.0.jar
 micrometer-commons-1.14.0.jar
 LatencyUtils-2.0.3.jar
-byte-buddy-1.14.9.jar
-snakeyaml-2.2.jar
 spring-jcl-6.1.14.jar
 asm-commons-9.8.jar
 asm-tree-9.8.jar
@@ -130,6 +128,7 @@ jline-reader-3.26.3.jar
 jline-style-3.26.3.jar
 jline-terminal-3.26.3.jar
 ST4-4.3.3.jar
+snakeyaml-2.3.jar
 jakarta.enterprise.lang-model-4.0.1.jar
 reactive-streams-1.0.4.jar
 jline-native-3.26.3.jar