Resolve a jetty-http vulnerability

[sschuberth]

Please have a look at the individual commit messages for the details.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.41%. Comparing base (c59b261) to head (6864921).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main   #11304   +/-   ##
=========================================
  Coverage     57.41%   57.41%           
  Complexity     1705     1705           
=========================================
  Files           346      346           
  Lines         12875    12875           
  Branches       1228     1228           
=========================================
  Hits           7392     7392           
  Misses         5005     5005           
  Partials        478      478           

Flag	Coverage Δ
funTest-no-external-tools	30.93% <ø> (ø)
test-ubuntu-24.04	42.40% <ø> (ø)
test-windows-2025	42.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[fviernau]

Is it possible to setup excludes such that this is not queried in the first place? (e.g. scope excludes?)

[sschuberth]

I needed this for a demo to show how resolved vulnerabilities look in the ORT Server:

So this was not really meant for review, which is why I made it a draft.

[sschuberth]

Thinking about this again, while it's correct that the vulnerability could also be "configured away" by creating a scope exclude for all tests scopes and running the advisor with skipExcluded = true, I wonder whether that's what we want, as it would suppress any vulnerability in a test dependency. But maybe our aspiration for our own code base is to even go through vulnerabilities in test dependencies and resolve them on a case by case basis?

In a way, the question boils down to which "distribution type" we'd like to assume / apply when running ORT on ORT. This is probably something we could discuss in a meeting.