Bump Jackson from 2.14.2 to 2.15.0+ in OpenSearch 1.3.x

[ssu2-atl]

Describe the bug

1.3.x is currently using Jackson 2.14.2. Jackson 2.14.2 is affected by https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538. Bumping to 2.15.0+ would help with addressing issues raised by security scanners that consider OpenSearch 1.3.x as affected.

Related component

Libraries

To Reproduce

Check Jackson version on the latest 1.3 branch.

Expected behavior

1.3.x is using Jackson 2.15.0+

Additional Details

Additional context https://github.com/opensearch-project/OpenSearch/pull/7286 (which bumps Jackson to 2.15.0) has been merged to future releases

Questions

Is OpenSearch 1.3.x affected by this VULN (https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538)?

[ssu2-atl]

Tried backporting the PR but experienced issues with gradle, as Jackson 2.15 is a multi-release jar and the gradle version (6.6.1 on OS 1.3) doesn't handle that https://github.com/opensearch-project/OpenSearch/pull/16032#issuecomment-2367004700

[ssu2-atl]

Tried backporting the PR but experienced issues with gradle, as Jackson 2.15 is a multi-release jar and the gradle version (6.6.1 on OS 1.3) doesn't handle that #16032 (comment)

Gradle 7.6.4 handles multi-release jars, however https://github.com/opensearch-project/OpenSearch/pull/1657#issue-1072157216 notes that:

As per discussion https://github.com/opensearch-project/opensearch-build/issues/1247, the decision was taken to keep 1.x on Gradle 6.x in order to not disrupt the plugin developers.

[peternied]

@ssu2-atl Thanks for creating this - we are looking into this issue