Upgrade jackson databind to 2.13.2.2 to match core's version.properties

[cwperks]

Description

Upgrade of jackson-databind to address CVE-2020-36518. The version now matches the version in core's version.properties. This should be backported to 1.3.

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Maintenance

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.59%. Comparing base (b6dbb49) to head (997dc40).
⚠️ Report is 41 commits behind head on 1.x.

Additional details and impacted files

@@            Coverage Diff            @@
##                1.x    #2000   +/-   ##
=========================================
  Coverage     64.59%   64.59%           
  Complexity     3215     3215           
=========================================
  Files           247      247           
  Lines         17358    17358           
  Branches       3085     3085           
=========================================
  Hits          11213    11213           
  Misses         4594     4594           
  Partials       1551     1551           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cwperks]

The org.opensearch.plugin:transport-netty4-client:1.4.0-SNAPSHOT has not been updated since March and includes outdated netty 4.1.73.Final. The latest version of 1.3 which is 1.3.5-SNAPSHOT includes netty 4.1.79.Final so the whitesource error can be ignored.

[cliu123]

@cwperks Sorry if I missed any discussion related to the question. Is it possible to get the versions from OpenSearch core directly, so security plugin wouldn't have to handle the versions?

[cwperks]

@cliu123 I was wondering the same thing and initially tried matching the main branch by using references to versions like ${versions.jackson_databind}, but the reference could not be found. Prior to 2.1 we do not have any references to versions. I believe this change enabled us to reference versions from core.

[opensearch-trigger-bot]

The backport to 1.3 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.3 1.3
# Navigate to the new working tree
cd .worktrees/backport-1.3
# Create a new branch
git switch --create backport/backport-2000-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 da24100ccc373dedb50d20ba18be96b5eb2d8b01
# Push it to GitHub
git push --set-upstream origin backport/backport-2000-to-1.3
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.3

Then, create a pull request where the base branch is 1.3 and the compare/head branch is backport/backport-2000-to-1.3.