Upgrade jackson databind to 2.13.2.2 to match core's version.properties

[cwperks]

Description

Upgrade of jackson-databind to address CVE-2020-36518. The version now matches the version in core's version.properties. This should be backported to 1.3.

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Maintenance

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

Merging #2000 (997dc40) into 1.x (b6dbb49) will decrease coverage by 0.01%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##                1.x    #2000      +/-   ##
============================================
- Coverage     64.59%   64.58%   -0.02%     
  Complexity     3215     3215              
============================================
  Files           247      247              
  Lines         17358    17358              
  Branches       3085     3085              
============================================
- Hits          11213    11210       -3     
- Misses         4594     4597       +3     
  Partials       1551     1551              

Impacted Files	Coverage Δ
...security/auditlog/sink/InternalOpenSearchSink.java	69.23% <0.00%> (-11.54%)	⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[cwperks]

The org.opensearch.plugin:transport-netty4-client:1.4.0-SNAPSHOT has not been updated since March and includes outdated netty 4.1.73.Final. The latest version of 1.3 which is 1.3.5-SNAPSHOT includes netty 4.1.79.Final so the whitesource error can be ignored.

[cliu123]

@cwperks Sorry if I missed any discussion related to the question. Is it possible to get the versions from OpenSearch core directly, so security plugin wouldn't have to handle the versions?

[cwperks]

@cliu123 I was wondering the same thing and initially tried matching the main branch by using references to versions like ${versions.jackson_databind}, but the reference could not be found. Prior to 2.1 we do not have any references to versions. I believe this change enabled us to reference versions from core.

[opensearch-trigger-bot]

The backport to 1.3 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.3 1.3
# Navigate to the new working tree
cd .worktrees/backport-1.3
# Create a new branch
git switch --create backport/backport-2000-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 da24100ccc373dedb50d20ba18be96b5eb2d8b01
# Push it to GitHub
git push --set-upstream origin backport/backport-2000-to-1.3
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.3

Then, create a pull request where the base branch is 1.3 and the compare/head branch is backport/backport-2000-to-1.3.