Bump jackson-databind to 2.13.2.2 via switching to BOM

Individual libs in Jackson don't necessarily all get released at the same time. The BOM is the right way to ensure versions are all on latest. In this case, to get a CVE patched within databind. See FasterXML/jackson-databind#3428 for more detail

agent/build.gradle

@@ -163,9 +163,9 @@ task verifyJar(type: VerifyJarTask) {
       "httpmime-${project.versions.apacheHttpComponents}.jar",
       "istack-commons-runtime-3.0.7.jar",
       "j2objc-annotations-1.3.jar",
-      "jackson-annotations-${project.versions.jackson}.jar",
-      "jackson-core-${project.versions.jackson}.jar",
-      "jackson-databind-${project.versions.jackson}.jar",
+      "jackson-annotations-2.13.2.jar",
+      "jackson-core-2.13.2.jar",
+      "jackson-databind-2.13.2.2.jar",
       "javax.activation-api-1.2.0.jar",
       "javax.annotation-api-${project.versions.javaxAnnotation}.jar",
       "javax.inject-1.jar",

base/build.gradle

@@ -20,6 +20,10 @@ dependencies {
   providedAtPackageTime project.deps.bouncyCastle
   providedAtPackageTime project.deps.bouncyCastlePkix
 
+  // Use BOMs to control versions of dependencies for other projects, all of which consume 'base'.
+  // This is following https://docs.gradle.org/current/userguide/platforms.html#sub:bom_import
+  api enforcedPlatform(project.deps.jacksonBom)
+
   api(project.deps.apacheAnt)  {
     transitive = false
   }

build.gradle

@@ -634,15 +634,11 @@ subprojects {
   configurations.all { configuration ->
 
     def versionOverrides = [
-      "com.fasterxml.jackson.core:jackson-annotations": project.versions.jackson,
-      "com.fasterxml.jackson.core:jackson-core"       : project.versions.jackson,
-      "com.fasterxml.jackson.core:jackson-databind"   : project.versions.jackson,
       "commons-beanutils:commons-beanutils"           : project.versions.commonsBeanutils,
       "org.apache.commons:commons-pool2"              : project.versions.commonsPool,
       "org.objenesis:objenesis"                       : project.versions.objenesis,
     ]
 
-
     configuration.resolutionStrategy.eachDependency { DependencyResolveDetails details ->
       def overrideVersion = versionOverrides[details.requested.group + ":" + details.requested.name]
 

dependencies.gradle

@@ -61,7 +61,7 @@ final Map<String, String> libraries = [
   hamcrest            : 'org.hamcrest:hamcrest-core:2.2',
   hibernate           : 'org.hibernate:hibernate-ehcache:3.6.10.Final',
   httpClientMock      : 'com.github.paweladamski:HttpClientMock:1.10.0',
-  jackson             : 'com.fasterxml.jackson.core:jackson-core:2.13.2',
+  jacksonBom          : 'com.fasterxml.jackson:jackson-bom:2.13.2.20220328',
   javaAssist          : 'javassist:javassist:3.12.1.GA',
   javaxAnnotation     : 'javax.annotation:javax.annotation-api:1.3.2',
   jaxb                : 'javax.xml.bind:jaxb-api:2.3.1',
@@ -142,7 +142,6 @@ final Map<String, String> v = [
   h2                  : versionOf(libraries.h2),
   hamcrest            : versionOf(libraries.hamcrest),
   hibernate           : versionOf(libraries.hibernate),
-  jackson             : versionOf(libraries.jackson),
   javaAssist          : versionOf(libraries.javaAssist),
   javaxAnnotation     : versionOf(libraries.javaxAnnotation),
   jaxb                : versionOf(libraries.jaxb),
@@ -189,14 +188,15 @@ final Map<String, String> v = [
 ]
 
 // While Dependabot won't be able to parse these deps, these will get upgraded for free anyway since they share versions
-// with dependencies declared above that are parseable by Dependabot. This is just a workaround to be DRY while still
-// benefiting from Dependabot's automatic PR upgrades.
+// with dependencies declared above that are parseable by Dependabot, or are managed by platforms.
+// This is just a workaround to be DRY while still benefiting from Dependabot's automatic PR upgrades.
 final Map<String, String> related = [
   apacheHttpMime          : "org.apache.httpcomponents:httpmime:${v.apacheHttpComponents}",
   aspectjWeaver           : "org.aspectj:aspectjweaver:${v.aspectj}",
   bouncyCastlePkix        : "org.bouncycastle:bcpkix-jdk15on:${v.bouncyCastle}",
   hamcrestLibrary         : "org.hamcrest:hamcrest-library:${v.hamcrest}",
-  jacksonDatabind         : "com.fasterxml.jackson.core:jackson-databind:${v.jackson}",
+  jacksonCore             : 'com.fasterxml.jackson.core:jackson-core',
+  jacksonDatabind         : 'com.fasterxml.jackson.core:jackson-databind',
   jaxbRuntime             : "org.glassfish.jaxb:jaxb-runtime:${v.jaxb}",
   jettyDeploy             : "org.eclipse.jetty:jetty-deploy:${v.jetty}",
   jettyJmx                : "org.eclipse.jetty:jetty-jmx:${v.jetty}",

server/build.gradle

@@ -863,9 +863,9 @@ task verifyWar(type: VerifyJarTask) {
         "httpmime-${project.versions.apacheHttpComponents}.jar",
         "istack-commons-runtime-3.0.7.jar",
         "j2objc-annotations-1.3.jar",
-        "jackson-annotations-${project.versions.jackson}.jar",
-        "jackson-core-${project.versions.jackson}.jar",
-        "jackson-databind-${project.versions.jackson}.jar",
+        "jackson-annotations-2.13.2.jar",
+        "jackson-core-2.13.2.jar",
+        "jackson-databind-2.13.2.2.jar",
         "jakarta.activation-2.0.1.jar",
         "javassist-${project.versions.javaAssist}.jar",
         "javax.activation-api-1.2.0.jar",

spark/spark-base/build.gradle

@@ -20,7 +20,8 @@ dependencies {
   api project(':common')
   api project(':server')
 
-  implementation project.deps.jackson
+  implementation platform(project.deps.jacksonBom)
+  implementation project.deps.jacksonCore
   implementation project.deps.jacksonDatabind
   implementation project.deps.springWeb