How Stateward protects you against copyleft & source-available license risk
The threat
A single new dependency under GPL/AGPL or a source-available license (SSPL, BUSL, Elastic, Commons-Clause) can impose obligations on your whole product — a legal problem that surfaces at the worst possible time.
How Stateward catches it
Stateward flags copyleft and non-OSI source-available licenses introduced via an SPDX id, a manifest license field, or a LICENSE file — declaration-context gated so prose never false-fires, and word-boundary aware so LGPL ≠ GPL.
Recent advisories of this class
- mediumGHSA-Q59X-JC9F-GFQFSignal K Server: Server-Side Request Forgery via Remote Connection Endpoints
- mediumGHSA-5739-39V2-5754PHP JWT Library: RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle
- highGHSA-JC38-X7X8-2XC8PHP JWT Framework: JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks
- highGHSA-3PRJ-6HQW-CM82PHP JWT Library: PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service
Check your own repo for this
Connect a repo and Stateward reviews your next pull request — read-only, free for individuals and open source.
Built to be trusted with your code
Read-only & ephemeral
Stateward can comment, but never pushes, merges or stores your keys.
EU-sovereign hosting
Code and security data stay EU-hosted via Citadea — built for NIS2, DORA and the CRA.
Whole-codebase aware
Reasons over your call graph and trust boundaries, not just the diff.
Stateward is in beta and onboarding design partners. Built by Yggdrasil Digital.