various vulnerability fixes

[vilay-nference]

No description provided.

[jonn-smith]

@vilay-nference Where is the dockerfile for this image? It is not immediately accessible, so we cannot verify its contents.

In general, we use base images provided directly from first-party sources (e.g. https://hub.docker.com/_/ubuntu).

Please change this to use a standard base image and then we can re-evaluate.

[vilay-nference]

This is used for internal purpose. I'll delete this file .. not required for gatk

[lbergelson]

Could you explain what these new dependencies are?

[vilay-nference]

This is used as transitive dependencies in one of the package. Overriding the newer version for the compatibles.

[droazen]

Remove this third-party Dockerfile

[vilay-nference]

Yes. will remove this and update you

[vilay-nference]

This is deleted

[droazen]

Don't add new GATK dependencies here unless absolutely necessary

[vilay-nference]

Again dnsjava is used from hadoop client.

[vilay-nference]

@droazen . Let us know if any more modifications required

[lbergelson]

@vilay-nference Thank you for doing this work. It's nitpicky annoying stuff to figure out.

I have one additional request. Instead of addding additional direct implementation dependencies, could we specify the transtive version requirements in a gradle constraints block?

That will:

1. make it clear that we don't rely on these directly
2. prevent us from keeping them around if we do something like remove hadoop in the future
3. lets us rewrite those force blocks to instead define minimum versions so if the libraries move forward in the future we're not accidentally holding on a to an old version