Fix CVE-2026-42198 (pgjdbc) and suppress CVE-2026-41417 (Netty)

CVE-2026-42198 (pgjdbc DoS, CVSS 7.5):
- Upgrade document-store from 0.8.6 to 0.9.45, which brings
  postgresql 42.7.11 (the fixed version).

CVE-2026-41417 (Netty CRLF injection, CVSS 5.3):
- Upgrade netty-bom from 4.1.132.Final to 4.1.133.Final (fixed version).
- Added temporary OWASP suppression because the published hypertrace-bom
  (0.3.78) still imports netty-bom:4.1.132.Final, and transitive deps
  resolve against that published version rather than the local project.

Temporary workarounds in this branch (to be removed in sequence):
1. Service-framework deps commented out in test-consumer — the published
   service-framework:0.1.93 still declares old Jetty 11 coordinates
   (org.eclipse.jetty:jetty-servlet) which don't exist in Jetty 12.
2. CVE-2026-41417 OWASP suppression — netty 4.1.132 comes transitively
   from the published hypertrace-bom:0.3.78.

Resolution steps:
1. Publish this BOM as 0.3.79 (with Jetty 12 EE10 + Netty 4.1.133.Final)
2. Update service-framework to use BOM 0.3.79 catalog, publish new version
3. Bump service-framework version in this BOM, uncomment deps in
   test-consumer, and remove the OWASP suppression

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sidharth-jain23

gradle/libs.versions.toml

@@ -10,7 +10,7 @@ hypertrace-gatewayservice = "0.3.9"
 hypertrace-entityservice = "0.8.86"
 hypertrace-configservice = "0.1.74"
 jetty = "12.1.9"
-netty = "4.1.132.Final"
+netty = "4.1.133.Final"
 
 junit = "5.10.0"
 mockito = "5.8.0"
@@ -86,7 +86,7 @@ hypertrace-framework-metrics = { module = "org.hypertrace.core.serviceframework:
 hypertrace-integrationtest-framework = { module = "org.hypertrace.core.serviceframework:integrationtest-service-framework", version.ref = "hypertrace-framework" }
 hypertrace-framework-documentstore-metrics = { module = "org.hypertrace.core.serviceframework:docstore-metrics", version.ref = "hypertrace-framework" }
 
-hypertrace-documentstore = { module = "org.hypertrace.core.documentstore:document-store", version = "0.8.6" }
+hypertrace-documentstore = { module = "org.hypertrace.core.documentstore:document-store", version = "0.9.45" }
 hypertrace-eventstore = { module = "org.hypertrace.core.eventstore:event-store", version = "0.1.5" }
 hypertrace-kafka-bom = { module = "org.hypertrace.core.kafkastreams.framework:kafka-bom", version.ref = "hypertrace-kafka" }
 hypertrace-kafka-framework = { module = "org.hypertrace.core.kafkastreams.framework:kafka-streams-framework", version.ref = "hypertrace-kafka" }

owasp-suppressions.xml

@@ -1,3 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <notes><![CDATA[Temporary suppression until service-framework is published with Netty 4.1.133.Final]]></notes>
+    <cve>CVE-2026-41417</cve>
+  </suppress>
 </suppressions>