Remove `provided` dependency on `commons-logging`

[basil]

The provided dependency on commons-logging is inconsistent with the general design of this POM, which avoids specifying Jenkins core dependencies in order to allow them to be fetched from the Jenkins core BOM.

For a comprehensive fix, the provided dependency should be removed both from here and from Jenkins core. The main implementation/testing challenge here is to avoid a regression with regard to https://www.slf4j.org/codes.html#release

The relevant test scenarios are:

1. Jenkins core before the change to remove commons-logging, plugin POM before the change to remove commons-logging (the status quo)
2. Jenkins core before the change to remove commons-logging, plugin POM after the change to remove commons-logging (the scenario when a plugin updates its parent POM but not its core)
3. Jenkins core after the change to remove commons-logging, plugin POM before the change to remove commons-logging (the scenario when a plugin updates its core but not its parent POM)
4. Jenkins core after the change to remove commons-logging, plugin POM after the change to remove commons-logging (the scenario when a plugin updates both its core and its parent POM)

A test scenario should be set up to expose https://www.slf4j.org/codes.html#release in both core and a plugin, and the results of (1) in both scenarios should be measured to establish a baseline. Then (2), (3), and (4) should also be measured in all applicable scenarios to assure there are no regressions.

[jglick]

As an aside: Jenkins code normally uses just java.util.logging. AFAICT the only reason we do anything in core/POM regarding slf4j, log4j, or commons-logging is to handle a few log messages from org.apache.commons.beanutils.ConvertUtilsBean, used by Stapler for form binding. Unfortunately that is used by several plugins so not trivial to rip out.