[Backport 3.7] Bump dependencies to address CVEs

[andrross]

Backport of #21879

Check List

• Functionality includes testing.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 6732cd9.

Path	Line	Severity	Description
buildSrc/build.gradle	134	high	Dependency version change: org.apache.maven:maven-model bumped from 3.9.12 to 3.9.16. Maintainers must verify the artifact authenticity and changelog for this version.
buildSrc/build.gradle	135	high	New dependency added: org.codehaus.plexus:plexus-xml:3.0.1. This is a new artifact being pulled into the build classpath; maintainers must verify its provenance and necessity.
buildSrc/build.gradle	164	high	New forced resolution added for org.codehaus.plexus:plexus-utils:4.0.3. Forcing a specific transitive dependency version can override security patches or introduce a vulnerable/malicious artifact; maintainers must verify.
buildSrc/build.gradle	165	high	New forced resolution added for org.apache.logging.log4j:log4j-core. Forcing log4j-core version overrides transitive resolution for a historically critical library (Log4Shell); maintainers must confirm the pinned version is safe and intentional.
plugins/ingestion-kafka/build.gradle	20	high	Dependency version change: kafka-clients bumped from 3.9.1 to 3.9.2. Maintainers must verify the artifact authenticity and that the new SHA1 in licenses/kafka-clients-3.9.2.jar.sha1 matches the official Apache Kafka release.
test/fixtures/hdfs-fixture/build.gradle	36	high	Dependency version change: org.eclipse.jetty bumped from 9.4.57.v20241219 to 9.4.58.v20250814. Maintainers must verify this is an official Eclipse Jetty release and that the artifact matches the expected published artifact.

The table above displays the top 10 most important findings.

Total: 6 | Critical: 0 | High: 6 | Medium: 0 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🧪 No relevant tests

🔒 No security concerns identified

✅ No TODO sections

🔀 No multiple PR themes

⚡ No major issues detected

[github-actions]

✅ Gradle check result for 6732cd9: SUCCESS

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.38%. Comparing base (6105940) to head (6732cd9).
⚠️ Report is 14 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main   #21897   +/-   ##
=========================================
  Coverage     73.37%   73.38%           
- Complexity    75448    75482   +34     
=========================================
  Files          6034     6033    -1     
  Lines        342504   342572   +68     
  Branches      49259    49276   +17     
=========================================
+ Hits         251310   251394   +84     
- Misses        71175    71187   +12     
+ Partials      20019    19991   -28     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.