Get rid of jackson to avoid the continuous flow of CVEs in Jackson

[damccorm]

Jackson keeps having CVE on all releases of databind and transitively beam sdk java core has CVE on all its releases (for the record, when writing this issue you must use at least jackson-databind 2.9.9.2 but last week it was 2.9.9.1 and 2.14 didn't get the fix).

Can be neat to get rid of jackson which does not fix this issue for a very long time now and just use JSON-B or another JSON impl to ensure the CVE is not usable because beam is there.

Imported from Jira BEAM-7881. Original Jira may contain additional context.
Reported by: romain.manni-bucau.

[cowtowncoder]

FWTW Jackson 2.10.x and later are not vulnerable to this class of CVEs so this particular problem is no longer relevant.

[Abacn]

This Issue is marked as Beam 3 - Milestone 1: No Code and ML focus. Please help us burning down the open blocker tasks.

• If this issue is solved, close it. If it is obsolete, close as not planned. If it is no longer necessary for Beam 3, move it out of the Milestone.

• If the work is pending, please be reminded that Milestone 1 is targeted for completion by Dec 30, 2025

• If this issue involves multiple milestones (e.g. remove a public API should first mark it as deprecated, scoped in Milestone 1; then finally remove it in Beam 3 release candidate, scoped in Milestone 3) and Milestone 1 portion has completed, consider move the Issue to Milestone 3.

[Abacn]

I think this is now obsolete. Beam and some of its popular dependencies (calcite, iceberg, hadoop) still use jackson databind. Even Beam itself moved out of jackson-databind user pipeline may still depends on it.