Complete CVE fix for cruise-control-metrics-reporter

[shubhi-gupta5]

Summary

1. Why: The fix for CVE-2025-48734 introduced in commit bea2bcb was incomplete. It only added the dependency constraint to the cruise-control module but missed the cruise-control-metrics-reporter module. This resulted in the vulnerable commons-beanutils 1.9.4 JAR still being present in the container image at /opt/cruise-control/libs/commons-beanutils-1.9.4.jar.
2. What: This PR adds the missing dependency constraint to the cruise-control-metrics-reporter module, forcing Gradle to use commons-beanutils 1.11.0 (the patched version) instead of the vulnerable 1.9.4 that is transitively pulled by Apache Kafka 4.0.0.

Actual Behavior

Currently in container image (built from commit bea2bcb):

$ podman run --rm quay.io/strimzi/kafka:0.48.0-kafka-4.1.0 find / -name "commons-beanutils*.jar"
/opt/cruise-control/libs/commons-beanutils-1.9.4.jar  ❌ VULNERABLE
/opt/kafka/libs/commons-beanutils-1.11.0.jar          ✅

The vulnerable JAR is coming from the cruise-control-metrics-reporter module which lacks the dependency constraint.

[kyguy]

@shubhi-gupta5 nice catch! It looks like the CI failed due to a timeout but appears to be unrelated to the PR changes. Could you rebase to retrigger the CI tests?

[shubhi-gupta5]

@shubhi-gupta5 nice catch! It looks like the CI failed due to a timeout but appears to be unrelated to the PR changes. Could you rebase to retrigger the CI tests?

@kyguy Pushed an empty commit to trigger the CI tests.

[shubhi-gupta5]

Hey @CCisGG , could you take a look at this when you get a chance? I would really appreciate it. Thanks.