update common-compress to address CVE-2024-25710 CVE-2024-26308

[janjwerner-confluent]

Description

• Update common-compress to 1.26.0 to address CVEs CVE-2024-25710 CVE-2024-26308
• Add commons-codec as a runtime dependency required by common-compress 1.26.0

This PR has:

• been self-reviewed.
  • using the concurrency checklist (Remove this item if the PR doesn't have any relation to concurrency.)
• added documentation for new or modified features or behaviors.
• a release note entry in the PR description.
• added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
• added or updated version, license, or notice information in licenses.yaml
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
• added integration tests.
• been tested in a test Druid cluster.

[janjwerner-confluent]

This resolves:
#15932
adding commons-codec as the required dependency of processing

[xvrl]

any reason we need to add this dependency to the processing pom?
It also seems odd we would only be declaring it a runtime dependency.

[janjwerner-confluent]

it's added to processing as this is where commons-compress is used.
The dependency is listed as optional for commons-compress (https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.26.0)
and is not needed compile time. The dependency is needed runtime (as illustrated by failing tests in #15932). If we add it in the compile scope we will need to add the suppression of dependency analyze tool.

[xvrl]

I see, can we add a comment to explain the reason for making it runtime?

Let's also update the PR description to mention that 1.26 added this optional dependency and that it is required in our case to make tests pass.