Updating jackson version to 2.15

[jan-tosovsky-cz]

jackson 2.14 branch depends on the vulnerable snakeyaml 1.33 version, while the 2.15 branch (released recently) depends on the 2.0 version.
https://github.com/FasterXML/jackson-dataformats-text/blob/2.14/yaml/pom.xml

<dependency>
    <groupId>org.yaml</groupId>
    <artifactId>snakeyaml</artifactId>
    <version>1.33</version>
</dependency>

[fdutton]

@jan-tosovsky-cz Is this the CVE you are attempting to address?
https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471

Version 2.0 has some breaking changes that would be propagated to clients that also use snakeyaml (e.g., Spring projects). I'll investigate if we can use 2.0 if it is present on the classpath but we may not be able to require it.

[stevehu]

I have executed a light-bot script to upgrade all the repositories to Jackson 2.15.1. I am doing the build and test at the moment to see if there are any broken changes. So far, there is only one issue with the timezone, and it is minor. If we have any issues, we can roll back easily.

[stevehu]

We have an issue with JDK 11 build with one of the plugins introduced recently. I have opened a ticket on the plugin moditect repo.

moditect/moditect#200

[jan-tosovsky-cz]

That was quick! Thanks a lot.

Btw, this CVE was reported by the Dependency Checker tool. Sometimes it is not clear if this could be somehow exploited. When I saw a fixed version, I simply filed this issue.

[mr-zepol]

Just out of curiosity, when this change will be released? I know version 1.0.83 was released last week but wondering about when a new release will happen, thanks

[stevehu]

We are doing more tests to ensure that there is no issues with this version of Jackson. Once our test is completed, we will release another version. Thanks.