unpin snakeyaml, add suppressions and licenses

[janjwerner-confluent]

Description

This removes the pin of the Snakeyaml introduced in:
#14519
After the updates of io.kubernetes.java-client and io.confluent.kafka-clients, the only uses of the Snakeyaml 1.x are:

• in test scope, transitive dependency of jackson-dataformat-yaml:jar:2.12.7
• in compile scope in contrib extension druid-cassandra-storage
• in compile scope in it-tests.

With the dependency version un-pinned, io.kubernetes.java-client and io.confluent.kafka-clients bring Snakeyaml versions 2.0 and 2.2, consequently allowing to build a Druid distribution without the contrib-extension and free of vulnerable Snakeyaml versions.

This PR has:

• been self-reviewed.
  • using the concurrency checklist (Remove this item if the PR doesn't have any relation to concurrency.)
• added documentation for new or modified features or behaviors.
• a release note entry in the PR description.
• added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
• added or updated version, license, or notice information in licenses.yaml
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
• added integration tests.
• been tested in a test Druid cluster.

[janjwerner-confluent]

The long term solution is to migrate to an updated version of jackson, as updates to 2.12.x branch are unlikely except for critical issues.
see discussion at:
FasterXML/jackson-jaxrs-providers#177

[xvrl]

do we need this section since you already updated the version in the section above?

[janjwerner-confluent]

fixed it to protobuf-extensions

[xvrl]

do we know where 1.27 comes from in integration tests? It would be nice if we could upgrade integration tests to 2.x as well.

[janjwerner-confluent]

it's transitive dependency of:
com.fasterxml.jackson.dataformat:jackson-dataformat-yaml 2.12.7
so unless we update jackson there, can't upgrade.

[xvrl]

let's update the version since we pin integration tests to 1.33 and not 1.27

[xvrl]

if this is more hairy, we can do the jackson upgrade as a follow-up

[xvrl]

minor nit about version numbers in the comments, otherwise LGTM.

It also, looks intellij-inspections is failling with integration-tests-ex/cases/pom.xml:21 -- Failed to read artifact descriptor for org.yaml:snakeyaml:jar:1.21 #loc

[janjwerner-confluent]

I believe I've fixed the versions. Not sure about the failing checks, except for the last one, they all seemed unrelated. gonna investigate a bit further.

[janjwerner-confluent]

@xvrl
passed the re-runs.

[xvrl]

we shouldn't be regressing here and have everything at least on 1.33 like we did before.

[janjwerner]

This is just for completeness as snakeyaml is not packaged in the standard distribution
mvn clean install -Pdist -DskipTests
dependency-check-maven is disabled for the contrib extensions and it tests, this suppression stays in place if we re-enable checks on the additional modules)

[janjwerner]

please see:
#15447
#15026