Update GATK dependencies to patch security vulnerabilities

[droazen]

Further progress towards addressing #8215

[droazen]

This is not ready for merge -- I just want to see if tests pass with this configuration. There are still some unresolved vulnerabilities:

[1/7] - pkg:maven/com.google.protobuf/protobuf-java@4.0.0-rc-2 - 3 vulnerabilities found!
[2/7] - pkg:maven/log4j/log4j@1.2.17 - 6 vulnerabilities found!
[3/7] - pkg:maven/org.codehaus.janino/janino@3.1.9 - 1 vulnerability found!
[4/7] - pkg:maven/net.minidev/json-smart@2.4.7 - 1 vulnerability found!
[5/7] - pkg:maven/org.codehaus.jettison/jettison@1.1 - 3 vulnerabilities found!
[6/7] - pkg:maven/org.eclipse.jetty/jetty-util@9.4.48.v20220622 - 1 vulnerability found!
[7/7] - pkg:maven/org.eclipse.jetty/jetty-http@9.4.48.v20220622 - 1 vulnerability found!

Some of these we may be unable to resolve. Eg., the protobuf-java version in this branch appears to be the most recent one, but still has open vulnerabilities filed against it. The ancient log4j 1.x version is used by two of our dependencies (hdf5-java-bindings and spark-mllib_2.12), and is the most recent version. Note that this is completely unrelated to the infamous log4j 2.x vulnerability, which was patched in GATK a long time ago.

[gatk-bot]

Github actions tests reported job failures from actions build 5204025552
Failures in the following jobs:

Test Type	JDK	Job ID	Logs
unit	17.0.6+10	5204025552.12	logs
integration	17.0.6+10	5204025552.11	logs
unit	17.0.6+10	5204025552.1	logs
integration	17.0.6+10	5204025552.0	logs
conda	17.0.6+10	5204025552.3	logs
variantcalling	17.0.6+10	5204025552.2	logs

[droazen]

See also broadinstitute/hdf5-java-bindings#16

[droazen]

Looks like some failures related to Spark tests and usage of the NIO library in Picard that we'll have to work through...

[droazen]

Closing in favor of #8607, which replaces this PR