Bump shaded bouncycastle and libthrift to clear remaining CVE findings (#1461)

## Summary

Clears the two remaining unsuppressed CVSS≥7 findings against the JDBC
driver (visible via PR #1460's OSV-Scanner gate). Three commits — two
version bumps and a small cleanup:

1. **bouncycastle 1.79 → 1.84** — addresses three GHSA-tracked
vulnerabilities (CVE-2026-5598 severity 8.9 + two MEDIUMs). All three
are NVD-CPE-invisible and were only surfaced by the new OSV-Scanner
gate. One-line property bump.
2. **libthrift 0.19.0 → 0.23.0** — clears the May 2026 Apache Thrift
advisory batch (GHSA-7pwc-h2j2-rjgj covering
CVE-2026-41603/41604/41605/43869). Required regenerating the checked-in
Thrift-generated Java sources because libthrift 0.21 broke API
compatibility (added a third generic to `ProcessFunction` via
THRIFT-5762).
3. **Remove in-repo Thrift IDL and regen script** — the IDL belongs
upstream (it's the shared Thrift interface for multiple SQL drivers),
not duplicated here. Generated Java sources are what the Maven build
consumes; deleting the IDL doesn't change behavior. Future regenerations
should run against the upstream IDL/tooling.

## What this PR is NOT

* It doesn't depend on PR #1460. The CVE findings exist on main today;
this PR clears them whether or not the security-scan gate lands first.
* It doesn't touch the upstream IDL or attempt to centralize regen
tooling. That's a separate cross-driver concern that can be addressed in
its own change.

## Test plan

- [x] `mvn clean install -DskipTests -Plocal` succeeds across all three
commits (including after the IDL/script deletion — the Maven build never
referenced either).
- [x] `mvn -pl jdbc-core test -Plocal
-Dgroups='!Jvm17PlusAndArrowToNioReflectionDisabled'` — **3288 tests, 0
failures, 0 errors** after the libthrift regen.
- [x] `mvn dependency:tree` confirms resolved versions: `libthrift
0.23.0`, `bcprov-jdk18on 1.84`, `bcpkix-jdk18on 1.84`.
- [ ] Full PR CI on this PR (will go green via the gate from #1460 once
both PRs are on main).

## Follow-up: flip security-scan to required

Once both this PR and #1460 land, the PR security-scan gate from #1460
should have zero unsuppressed CVSS≥7 findings on main. That's the cue to
flip the gate's check to required-to-merge in branch protection (the
explicit plan from #1460).

This pull request and its description were written by Isaac.

---------

Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>

Author: vikrantpuppala

NEXT_CHANGELOG.md

@@ -70,6 +70,8 @@ upgrading. These changes do not affect metadata on All-Purpose Clusters.
 - Reclassify transient server errors to standard SQL states (08S01, 40001) across all Thrift error sites. This ensures UC unavailability and concurrent modification errors surface consistently for better retry handling. Note: Dashboards and branching logic keyed on legacy XXUCC or 42000 must be updated.
 - Fixed telemetry HTTP client socket leak that prevented CRaC checkpoint. After `Connection.close()`, delayed telemetry flush tasks could re-create HTTP clients that were never closed, leaking TCP sockets. Fixes #1325.
 - Fixed client-side enforcement of `maxRows` limit. When `statement.setMaxRows()` is set, `ResultSet.next()` now returns false once the row limit is reached, even if the server returns more rows. Applies to all result types (Thrift, SEA, inline, CloudFetch).
+- Bump shaded `bouncycastle` (`bcprov-jdk18on`, `bcpkix-jdk18on`) from 1.79 to 1.84 to address [CVE-2026-5598](https://github.com/advisories/GHSA-p93r-85wp-75v3) (covert timing channel, severity 8.9) and two related MEDIUM CVEs (GHSA-wg6q-6289-32hp, GHSA-c3fc-8qff-9hwx). All three are unsurfaced by NVD-CPE scanners but visible to GHSA-backed scanners like OSV.
+- Bump shaded `libthrift` from 0.19.0 to 0.23.0 to clear the May 2026 Apache Thrift advisory batch (GHSA-7pwc-h2j2-rjgj covering CVE-2026-41603/41604/41605/43869). The libthrift 0.21 release changed `ProcessFunction`'s generic signatures, which required regenerating the project's checked-in Thrift-generated Java sources with the matching compiler.
 
 ---
 *Note: When making changes, please add your change under the appropriate section

pom.xml

@@ -72,7 +72,7 @@
     <httpclient.version>4.5.14</httpclient.version>
     <async-httpclient.version>5.5.2</async-httpclient.version>
     <httpcore5.version>5.3.6</httpcore5.version>
-    <thrift.version>0.19.0</thrift.version>
+    <thrift.version>0.23.0</thrift.version>
     <slf4j.version>2.0.13</slf4j.version>
     <jackson.version>2.18.7</jackson.version>
     <gson.version>2.13.2</gson.version>
@@ -86,7 +86,7 @@
     <jts-core.version>1.20.0</jts-core.version>
     <resilience4j.version>1.7.0</resilience4j.version>
     <nimbusjose.version>10.0.2</nimbusjose.version>
-    <bouncycastle.version>1.79</bouncycastle.version>
+    <bouncycastle.version>1.84</bouncycastle.version>
     <jmh.version>1.37</jmh.version>
 
     <!-- Test Dependencies -->

src/main/java/com/databricks/jdbc/dbclient/impl/thrift/DatabricksHttpTTransport.java

@@ -153,7 +153,11 @@ public void flush() throws TTransportException {
 
   @Override
   public TConfiguration getConfiguration() {
-    return null;
+    // libthrift >= 0.21 dereferences the return of getConfiguration() when
+    // reading messages (e.g. TProtocolUtil reading the recursion limit);
+    // returning null causes a NullPointerException in transport code paths
+    // that worked under 0.19. Return the framework default instead.
+    return TConfiguration.DEFAULT;
   }
 
   @Override