Maven checks for artifacts in maven-central without permission to do that

[BoufarN]

When doing a GET on the maven-resource, maven first checks maven-central for the jar before checking our own repository. The risk is that someone can place a malicious artifact with the same ID and maven will accept it and the pipeline will use it thereby installing not our own jar but someone else's. Is it possible to disable the maven-central or disable maven-central by default when an own repository is specified?

[mulderga-cgi]

this is a potential security issue... you could do something like this to "fix" it:

file: https://github.com/nulldriver/maven-resource/blob/master/assets/.mvn/settings.xml

<repository>
      <id>2_central</id>
      <url>https://repo.maven.apache.org/maven2/</url>
      <releases><enabled>true</enabled></releases>
      <snapshots><enabled>true</enabled></snapshots>
</repository>
<repository>
      <id>1_remote-repository</id>
      <url>${repository.url}</url>
      <releases><enabled>true</enabled></releases>
      <snapshots><enabled>true</enabled></snapshots>
</repository>

... because Maven will order alphabetically on repository ID, so check the remote repository first before fetching a resource from maven central