AVRO-2865: Remove maven 2 support

[RyanSkraba]

Make sure you have checked all steps below.

Jira

• My PR addresses the following Avro Jira issues and references them in the PR title. For example, "AVRO-1234: My Avro PR"
  • https://issues.apache.org/jira/browse/AVRO-2865
  • In case you are adding a dependency, check if the license complies with the ASF 3rd Party License Policy.

Tests

• My PR adds the following unit tests OR does not need testing for this extremely good reason:

Commits

• My commits all reference Jira issues in their subject lines. In addition, my commits follow the guidelines from "How to write a good git commit message":
  1. Subject is separated from body by a blank line
  2. Subject is limited to 50 characters (not including Jira issue reference)
  3. Subject does not end with a period
  4. Subject uses the imperative mood ("add", not "adding")
  5. Body wraps at 72 characters
  6. Body explains "what" and "why", not "how"

Documentation

• In case of new functionality, my PR adds documentation that describes how to use it.
  • All the public functions and the classes in the PR contain Javadoc that explain what it does

[RyanSkraba]

@iemejia What do you think -- is this CVE a reason to wait for 1.10.0 RC2 ?

On the one hand, the plexus-util jar with the vulnerability will only be on the machine building avro specific records, and XML injection could only be done from the pom.xml sitting right there in front of the user running maven...

... on the other hand, a lot of build machines are CI (jenkins) and automatic/expensive shared resources.

[iemejia]

It makes sense to do a RC2 we should not let security vulnerabilities exposed. Thanks for the PR @RyanSkraba

[iemejia]

LGTM