Update Jackson to 2.19.2

patch by Stefan Miklosovic; reviewed by Brandon Williams for CASSANDRA-20848

Author: smiklosovic

.build/dependency-check-suppressions.xml

@@ -52,13 +52,6 @@
         <cve>CVE-2023-44487</cve>
         <cve>CVE-2025-25193</cve>
     </suppress>
-    <!-- https://issues.apache.org/jira/browse/CASSANDRA-17966 -->
-    <suppress>
-        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-        <cve>CVE-2022-42003</cve>
-        <cve>CVE-2022-42004</cve>
-        <cve>CVE-2023-35116</cve>
-    </suppress>
 
     <!-- https://issues.apache.org/jira/browse/CASSANDRA-19142 -->
     <!-- https://issues.apache.org/jira/browse/CASSANDRA-20412 -->

.snyk

@@ -34,16 +34,10 @@ ignore:
     - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 -- ^pkg:maven/org\.yaml/snakeyaml@.*$
   CVE-2022-41881:
     - reason: netty's http stuff is not applicable here -- ^pkg:maven/io\.netty/netty\-all@.*$
-  CVE-2022-42003:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 -- ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
-  CVE-2022-42004:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 -- ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
   CVE-2023-2976:
     - reason: not applicable https://nvd.nist.gov/vuln/detail/CVE-2020-8908 -- ^pkg:maven/com\.google\.guava/guava@.*$
   CVE-2023-34462:
     - reason: netty's http stuff is not applicable here -- ^pkg:maven/io\.netty/netty\-all@.*$
-  CVE-2023-35116:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 -- ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
   CVE-2023-44487:
     - reason: netty's http stuff is not applicable here -- ^pkg:maven/io\.netty/netty\-all@.*$
   CVE-2023-6378:

CHANGES.txt

@@ -1,4 +1,5 @@
 4.0.19
+ * Update Jackson to 2.19.2 (CASSANDRA-20848)
  * Update commons-lang3 to 3.18.0 (CASSANDRA-20849)
  * Add NativeTransportMaxConcurrentConnectionsPerIp to StorageProxyMBean (CASSANDRA-20642)
  * Make secondary index implementations notified about rows in fully expired SSTables in compaction (CASSANDRA-20829)

build.xml

@@ -574,9 +574,9 @@
           <dependency groupId="org.slf4j" artifactId="jcl-over-slf4j" version="1.7.25" />
           <dependency groupId="ch.qos.logback" artifactId="logback-core" version="1.2.9"/>
           <dependency groupId="ch.qos.logback" artifactId="logback-classic" version="1.2.9"/>
-          <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-core" version="2.13.2"/>
-          <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-databind" version="2.13.2.2"/>
-          <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-annotations" version="2.13.2"/>
+          <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-core" version="2.19.2"/>
+          <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-databind" version="2.19.2"/>
+          <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-annotations" version="2.19.2"/>
           <dependency groupId="com.googlecode.json-simple" artifactId="json-simple" version="1.1"/>
           <dependency groupId="com.boundary" artifactId="high-scale-lib" version="1.0.6"/>
           <dependency groupId="com.github.jbellis" artifactId="jamm" version="${jamm.version}"/>