Suppress CVE-2025-49128 for jackson-core shaded in hadoop-client-runtime

[ashwintumma23]

Description

Adds an OWASP dependency-check suppression for CVE-2025-49128, which is flagged against the
jackson-core copy shaded inside hadoop-client-runtime-3.3.6.jar.

Why this is suppressed

• Druid's standalone jackson-core is already at 2.19.2 (managed via jackson-bom), which is
  not affected by this CVE. The flag originates from an older jackson-core version shaded internally
  inside hadoop-client-runtime-3.3.6.jar. There is no fix available in the Hadoop 3.3.x line yet,
  making this unavoidable without a major Hadoop upgrade.

• CVE-2025-52999 (also flagged against the same shaded copy) was already suppressed in the same
  block — this change brings CVE-2025-49128 in line with that existing suppression. It also fixes a typo in that entry.

Release note

• Suppress CVE-2025-49128 for jackson-core shaded inside hadoop-client-runtime. Druid's own jackson-core is unaffected at 2.19.2.

---

Key changed/added classes in this PR

• owasp-dependency-check-suppressions.xml: Added CVE-2025-49128 to the hadoop-client-runtime-3.3.6.jar
  suppression block, alongside fixing a typo the existing CVE-2025-52999 entry.

---

This PR has:

• been self-reviewed.
  • using the concurrency checklist (Remove this item if the PR doesn't have any relation to concurrency.)
• added documentation for new or modified features or behaviors.
• a release note entry in the PR description.
• added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
• added or updated version, license, or notice information in licenses.yaml
• [] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
• added integration tests.
• been tested in a test Druid cluster.

[abhishekrb19]

Since hadoop ingestion is being removed in #19109, would this suppression be relevant?

[clintropolis]

Since hadoop ingestion is being removed in #19109, would this suppression be relevant?

not sure, maybe since like the hdfs and other hadoopy extensions also probably contain this? I can always check by running the thing next time I have that branch checked out.

[FrankChen021]

P2 Scope the CVE suppression to Hadoop runtime

This suppression block has only notes plus CVE entries, with no packageUrl, filePath, gav, or sha1 selector. Dependency-Check notes are descriptive, so adding CVE-2025-49128 here suppresses that CVE globally, not just for jackson-core shaded inside hadoop-client-runtime-3.3.6.jar. That can hide a real vulnerable jackson-core if it appears elsewhere now or in a future dependency change. Please constrain this suppression to the Hadoop runtime artifact or shaded file path/hash.