Fix CVE-2024-57699 by override transitive dependency version (#116)

The overriding should be removed once Spring Security updates its dependencies.

Fixes #104

## How to test
1. Run `mvnw install org.owasp:dependency-check-maven:12.1.0:check --fail-at-end -DnvdApiDelay=60000 -DskipTests -DfailBuildOnCVSS=7`
2. Wait a very long time (can be sped up be [requesting an NVD API key](https://nvd.nist.gov/developers/request-an-api-key) and adding `-DnvdApiKey=<key>`
3. Check the build succeeds

Reviewed-on: #116
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>

pom.xml

@@ -39,6 +39,12 @@
         <jersey.version>3.1.6</jersey.version>
         <poi.version>5.2.5</poi.version>
         <jackson.version>2.17.0</jackson.version>
+
+        <!--
+            When updating spring-boot check if the transitive dependency on json-smart has been
+            updated to 2.5.2 or later.
+            If so, remove the dependency managed version of json-smart
+        -->
         <spring.boot.version>3.4.1</spring.boot.version>
         <springdoc.openapi.version>2.8.3</springdoc.openapi.version>
 
@@ -213,6 +219,20 @@
                 <version>2.0.2</version>
                 <scope>runtime</scope>
             </dependency>
+            <dependency>
+                <!--
+                2.5.1 is brought in transitively by
+                  spring-boot-starter-oauth2-client
+                    spring-security-oauth2-client
+                      oauth2-oidc-sdk
+                        json-smart
+                it has a known security vulnerability that's fixed in 2.5.2
+                should be removed when spring-boot-starter-oauth2-client is updated
+                -->
+                <groupId>net.minidev</groupId>
+                <artifactId>json-smart</artifactId>
+                <version>2.5.2</version>
+            </dependency>
 
             <!-- Test stuff -->
             <dependency>