Upgrade Jackson dependency to a safe version (#703)

# Summary

Upgrades Jackson from 2.15.2 to 2.18.6 to fix GHSA-72hv-8253-57qq (High
severity, CVSS 8.7), a denial-of-service
  vulnerability in jackson-core's async JSON parser.

#  Motivation

The async JSON parser in jackson-core versions prior to 2.18.6 does not
enforce the maxNumberLength constraint
(default: 1000 characters), while the synchronous parser does. This
allows an attacker to submit JSON with
arbitrarily long numeric values, causing memory and CPU exhaustion —
particularly in reactive/non-blocking
applications (e.g. Spring WebFlux). This is classified as CWE-770
(Allocation of Resources Without Limits or
  Throttling).

The SDK currently pins Jackson at 2.15.2, which falls in the vulnerable
range (2.0.0–2.18.5). All consumers of the
SDK inherit this version, so the fix must be applied upstream here
rather than overridden at each consumer.

#  Changes

- databricks-sdk-java/pom.xml: Bumps jackson.version from 2.15.2 to
2.18.6 (affects jackson-core, jackson-databind,
jackson-annotations, jackson-datatype-jsr310, jackson-datatype-guava).
Adds jackson-datatype-jdk8 as a new
  dependency.
- SerDeUtils.java: Registers Jdk8Module on the shared ObjectMapper. This
is required because Jackson 2.18.x no
longer serializes/deserializes java.util.Optional types by default — the
SDK's Request class uses Optional<Boolean>
  for redirectionBehavior, which fails without this module.

#  Test plan

  - All 1093 existing unit tests pass with no changes needed.
- The jackson-datatype-jdk8 module addition was validated by the
ApiClientTest.errorDetails test, which exercises
  serialization of Request objects containing Optional fields.
  
  NO_CHANGELOG=true

Author: Divyansh-db

databricks-sdk-java/pom.xml

@@ -11,7 +11,7 @@
   <name>Databricks SDK for Java</name>
   <properties>
     <httpclient.version>4.5.14</httpclient.version>
-    <jackson.version>2.15.2</jackson.version>
+    <jackson.version>2.18.6</jackson.version>
     <junit-bom.version>5.10.0</junit-bom.version>
     <maven.compiler.source>1.8</maven.compiler.source>
     <maven.compiler.target>1.8</maven.compiler.target>
@@ -110,6 +110,12 @@
       <artifactId>jackson-datatype-guava</artifactId>
       <version>${jackson.version}</version>
     </dependency>
+    <!-- Jackson JDK8 module needed to serialize/deserialize java.util.Optional -->
+    <dependency>
+      <groupId>com.fasterxml.jackson.datatype</groupId>
+      <artifactId>jackson-datatype-jdk8</artifactId>
+      <version>${jackson.version}</version>
+    </dependency>
     <!-- Google Auto Value -->
     <dependency>
       <groupId>com.google.auto.value</groupId>

databricks-sdk-java/src/main/java/com/databricks/sdk/core/utils/SerDeUtils.java

@@ -6,6 +6,7 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
 import com.fasterxml.jackson.datatype.guava.GuavaModule;
+import com.fasterxml.jackson.datatype.jdk8.Jdk8Module;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 
 /** Utilities for serialization and deserialization in the Databricks Java SDK. */
@@ -16,6 +17,7 @@ public static ObjectMapper createMapper() {
     mapper
         .registerModule(new JavaTimeModule())
         .registerModule(new GuavaModule())
+        .registerModule(new Jdk8Module())
         .registerModule(new ProtobufModule())
         .configure(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS, false)
         .configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false)