[HOP-3681] upgrade to poi 5.2.0

[pjfanning]

Following this checklist to help us incorporate your contribution quickly and easily:

• Make sure there is a JIRA issue filed
  for the change (usually before you start working on it). Trivial changes like typos do not
  require a JIRA issue. Your pull request should address just this issue, without pulling in other changes.
• Each commit in the pull request should have a meaningful subject line and body.
• Format the pull request title like [HOP-XXX] - Fixes bug in SessionManager,
  where you replace HOP-XXX with the appropriate JIRA issue. Best practice
  is to use the JIRA issue title in the pull request title and in the first line of the commit message.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• Run mvn clean install apache-rat:check to make sure basic checks pass. A more thorough check will be performed on your pull request automatically.
• If you have a group of commits related to the same change, please squash your commits into one and force push your branch using git rebase -i.

Trivial changes like typos do not require a JIRA issue (javadoc, comments...).
In this case, just format the pull request title like (DOC) - Add javadoc in SessionManager.

If this is your first contribution, you have to read the Contribution Guidelines

If your pull request is about ~20 lines of code you don't need to sign an Individual Contributor License Agreement
if you are unsure please ask on the developers list.

To make clear that you license your contribution under the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

• I hereby declare this contribution to be licenced under the Apache License Version 2.0, January 2004
• In any other case, please file an Apache Individual Contributor License Agreement - I am an Apache member - username: fanningpj

[mattcasters]

Appreciate the effort!

[pjfanning]

@mattcasters would you know why https://github.com/apache/hop/blob/a575a97e9e0a2a5d413fe0899c27d1449f6a8958/plugins/transforms/excelwriter/pom.xml excludes the transitive dependencies of poi? - it makes things complicated because with the exclusions, I would need to explicitly import each POI dependency

[mattcasters]

@pjfanning It was probably done to avoid a downstream dependency with an older version. Just remove the exclusions and make your life easier. Most likely the issue is solved by updating to a more recent POI version. Should the problem pop up we can force the right library version in the assembly.

[pjfanning]

@mattcasters thanks - I've removed the exclusions. I suspect that extra jars will need to be added to the assemblies.

Would you be to review the non-optional compile dependencies in these 2 links?

• https://mvnrepository.com/artifact/org.apache.poi/poi/5.2.0
• https://mvnrepository.com/artifact/org.apache.poi/poi-ooxml/5.2.0

Should I all the non-optional dependencies to the assemblies?

[mattcasters]

Usually I run

mvn dependency:tree

and then figure out which libraries are actually needed by the pom.xml. I put these in assembly.xml of the corresponding assymblies module. It's unfortunately a pretty manual process but on the whole it works well enough in keeping everything under control.
Let me know if you want me to pick this up. It shouldn't be too hard to figure out.

[pjfanning]

@mattcasters I extended the 2 excel assemblies. Would you be able to approve the CI build?

[mattcasters]

Very nice!

[mattcasters]

For your convenience: you can have multiple lines in an section in the assembly.xml file.

[pjfanning]

@mattcasters I'd prefer to stay consistent stylewise with the existing assembly.xml - the pre-existing dependencies are 1 per set.

[hansva]

LGTM, thank you so much @pjfanning !

[hansva]

The only question I have is do we really need to pull in the log4j-api?

[pjfanning]

poi 5.1 and up uses log4j-api - the recent security issues are in log4j-core not log4j-api - and this PR uses the latest version of log4j-api anyway

[hansva]

ack! I'll give it a spin tomorrow and merge! thanks!!