CVE-2022-42004: Transitive dependency (jackson) from io.cloudevents:cloudevents-json-jackson vulnerable

[stummb]

jackson-json is included transitively via cloudevents-json-jackson. The included version is vulnerable (CVE-2022-42004).

The version is updated there (https://github.com/cloudevents/sdk-java/issues/588), but needs to be released. As soon as this is done, it can be updated here.

Is it advisable to use dependency overrides until then?

[HKWinterhalter]

It appears that only JsonFormat.CONTENT_TYPE is used here and therefore doesn't pertain to the CVE (custom deserialization methods). Otherwise I do think the correct place for this is requesting cloudevents java sdk to release a newer version.

[jrmfg]

https://github.com/GoogleCloudPlatform/functions-framework-java/pull/274 - cloudevents opted to roll this into the 3.0 release, so we have to bump the cloudevents-sdk version we require, too.