TDB-19854 - Remove vulnerable dependencies

[aurbroszniowski]

• Removed Gretty and used an embedded jetty 12 instance instead - See EmbeddedPeeperServer and Peeper* classes inside the demos folder.
• Moved to jakarta
• Moved to SpotBug 4.5.8 because of CVE (commons-text:1.9 and gson:2.8.6)
  This required to add a few rules (e.g. spotbugs.getOmitVisitors().addAll("FindReturnRef", "ConstructorThrow");) and uncovered a few issues (TiredStore, UserManagerCacheBuilder).
• Moved to assertJ 3.27.7 because of CVE. This required to move to Mockito 5.12.0 and refactoring tests.

Note about the Mend report: the following vulnerable dependency isn’t coming from the demos module:

Unknown
k8s.io/apimachinery:v0.24.2

[Gen-SIQA-User]

Checks Summary

Last run: 2026-01-29T15:02:17.477Z

Code Risk Analyzer vulnerability scan found 2 vulnerabilities:

Severity	Identifier	Package	Details	Fix
◻ Unknown	CVE-2026-1225	ch.qos.logback:logback-core	Logback allows an attacker to instantiate classes already present on the class path GHSA-qqpg-mvqg-649v ch.qos.logback:logback-core:1.5.20->ch.qos.logback:logback-classic:1.5.20,org.terracotta:server-api:5.12.15,org.terracotta:galvan:5.12.15,org.terracotta.internal:galvan-support:5.12.15,org.terracotta:terracotta-dynamic-config-testing-galvan:5.11.6	1.5.25
◻ Unknown	CVE-2025-68161	org.apache.logging.log4j:log4j-core	Apache Log4j does not verify the TLS hostname in its Socket Appender GHSA-vc5p-v9hr-52mj org.apache.logging.log4j:log4j-core:2.25.2->com.github.spotbugs:spotbugs-annotations:4.9.8,com.github.spotbugs:spotbugs:4.9.8,org.apache.logging.log4j:log4j-core:2.25.2,com.github.spotbugs:spotbugs:4.9.8	2.25.3