Update dependencies for EU CRA fix

[zahidblackduck]

JIRA Ticket

IDETECT-5086

Depends on the pull request blackducksoftware/hub-imageinspector-lib#40

Description

This pull request changes alpine:3.23 image to chainguard-base:latest

Additionally, this pull request bumps hub-imageinspector-lib version to 15.0.5. The hub-imageinspector-lib:15.0.5 pulls integration-bdio:27.0.5 which in turn pulls integration-common:27.0.4 which updates transitive dependencies json-path from 2.9.0 to 2.10.0 to resolve a transitive vulnerable dependency as part of the EU CRA compliance effort.

json-path:2.9.0 pulls in json-smart:2.5.0, which carries CVE-2024-57699 (BDSA-2025-0966).
This update transitively brings in json-smart:2.6.0, which is free of this vulnerability, and thus the safe version flows to all downstream consumers automatically.

Another updated dependency is com.fasterxml.jackson:jackson-bom:2.18.6

And, the following overrides were applied,

ext['tomcat.version'] = '9.0.117'
ext['json-path.version'] = '2.10.0'
ext['json-smart.version'] = '2.6.0'

---

Notes

The io.spring.dependency-management plugin imports a Spring Boot BOM, which manages versions for common libraries (json-path, json-smart, jackson, etc.). BOM managed versions take precedence over both gradle constraints blocks and resolutionStrategy.force() directives, silently downgrading explicitly pinned versions.

So, every project that imports a Spring Boot BOM must independently override the BOM properties for any dependency it needs at a different version.

That's why json-smart and json-path overrides were applied and Jackson BOM upgraded from 2.12.4 to 2.18.6 in the dependencyManagement block to avoid this problem.

[dterrybd]

The other changes seem fine to me, this one might be too, but I'm wondering if it has been tested further up before we merge to master. For example, do we know that the chainguard move works in hub-image inspector and better yet, in docker inspector?