I can tell it is lots of "fun" when you can only use a Maven mirror, with approved jars.
To get a jar into that mirror, a request needs to be sent to the legal team describing the license and business case use, after approval the IT team will add the said jar to the mirror.
The same applies to version upgrades of already approved jars.
This is a typical scenario I had already in a couple of projects.
I agree that this sucks, but not doing it that way is dangerous for the company because developers might not care enough about license compliance when they include some stuff into their project.
To get a jar into that mirror, a request needs to be sent to the legal team describing the license and business case use, after approval the IT team will add the said jar to the mirror.
The same applies to version upgrades of already approved jars.
This is a typical scenario I had already in a couple of projects.