StatewardStateward
Glossary

Security terms, in plain language

The application-security and supply-chain terms you hit when shipping code — especially AI-generated code — defined without jargon. Each links to the live threat feed where it applies.

Call graphCVECVSSCWEDependency confusionDORAEU Cyber Resilience ActFalse positiveIDORKEVLogic & correctness bugMerge-induced vulnerabilityNIS2OWASP Top 10Prompt injectionRCEReachability analysisSASTSBOMSCASecret scanningSource map exposureSQL injectionSSRFSupply-chain attackTyposquattingZero-day
Call graph
A model of which functions call which across your codebase. It is what lets a tool follow data from an untrusted input (a request parameter) to a dangerous sink (a database query or shell command) even when they live in different files. Stateward builds one as part of its whole-codebase knowledge base.
CVE (Common Vulnerabilities and Exposures)
A unique identifier for one publicly disclosed vulnerability in a specific product or library, for example CVE-2021-44228 (Log4Shell). CVEs are the lingua franca of vulnerability management — your SCA tool matches your dependencies against the CVE database.
CVSS (Common Vulnerability Scoring System)
A 0–10 score for how severe a vulnerability is, based on exploitability and impact. Useful for ranking, but context-blind: a 9.8 in a package you do not reach matters less than a 6.5 on your auth path. Pair CVSS with reachability and exploitation status (KEV) to prioritize honestly.
CWE (Common Weakness Enumeration)
A community catalogue of software weakness types, each with an identifier like CWE-89 (SQL injection) or CWE-79 (cross-site scripting). CWE classifies the kind of flaw; CVE identifies a specific vulnerable product. Findings mapped to CWE are easier to triage, dedupe and turn into compliance evidence.
Dependency confusionSupply chain feed →
Tricking a package manager into pulling a public package instead of your intended private one, by publishing a higher version number under the same name to a public registry. It lets an attacker inject code into internal builds; the fix is scoped registries and explicit source pinning.
DORA (Digital Operational Resilience Act)
An EU regulation for the financial sector covering ICT risk, third-party risk and operational resilience. Like NIS2 it demands demonstrable, continuous security posture rather than point-in-time audits — exactly the audit-ready evidence Stateward generates per pull request.
EU Cyber Resilience Act (CRA)
An EU regulation setting cybersecurity requirements for products with digital elements across their lifecycle, including vulnerability handling and an SBOM. It pushes “secure by design” from best practice into law for products sold in the EU.
False positive
A finding a tool reports that is not actually exploitable in your context. High false-positive rates are the main reason teams ignore security tools. Stateward reduces them by validating findings against the real call graph and reachability, and by adversarially refuting candidates before reporting a verdict.
IDOR (Insecure Direct Object Reference)AppSec feed →
Exposing a reference to an internal object — a database id in a URL — without checking that the current user is allowed to access it, so changing /invoice/123 to /invoice/124 leaks someone else’s data. It is a form of broken access control, the top OWASP risk, and authorization must be checked server-side on every request.
KEV (Known Exploited Vulnerabilities)Known-exploited feed →
CISA’s authoritative list of vulnerabilities that are being actively exploited in the wild. A KEV entry means attackers are using it right now, so it jumps the patch queue regardless of its CVSS score. Stateward’s live feed surfaces KEV entries the moment they land.
Logic & correctness bugAppSec feed →
A bug where the code runs but does the wrong thing — not an attacker-facing hole, but an honest mistake a careful engineer makes. Integer IDs approaching their type’s limit at scale, money handled in floating point (0.1 + 0.2 ≠ 0.3), off-by-one boundaries, broken invariants, unhandled edge cases. Rarely exploitable, but a leading cause of outages, data corruption and costly incidents — the reason the security-audit industry exists. Stateward’s adversarial deep audit hunts these by reasoning about what each function must guarantee and trying to break it, not by pattern-matching known CVEs.
Merge-induced vulnerabilityAppSec feed →
A flaw that exists in neither branch alone but appears once two branches are merged — for example one branch removes a validation that another branch starts depending on. Diff-only scanners miss it because each diff looks safe. Stateward analyses the merged result against the whole codebase, which is where it surfaces.
NIS2
An EU directive (2022) that broadens cybersecurity obligations across essential and important entities, with requirements for risk management, supply-chain security and incident reporting. It raises the bar for software security evidence; Stateward maps findings to it and keeps data EU-hosted via Citadea.
OWASP Top 10AppSec feed →
The Open Worldwide Application Security Project’s ranked list of the ten most critical web application risks — broken access control, injection, cryptographic failures and so on. It is the default checklist auditors and frameworks reference; Stateward maps each finding to its OWASP category.
Prompt injectionAI/LLM feed →
Manipulating an LLM-powered application by smuggling instructions into its input — directly, or indirectly through content the model later reads (a web page, a document, a tool result). It is the defining vulnerability class of AI applications and has no single clean fix; you contain it with least privilege, output validation and human approval for sensitive actions.
RCE (Remote Code Execution)
A vulnerability that lets an attacker run arbitrary code on your server or a user’s machine — the most severe outcome, because it usually means full compromise. It often arrives through unsafe deserialization, command injection or a vulnerable dependency like Log4Shell.
Reachability analysisSupply chain feed →
Determining whether a vulnerable function in a dependency is actually called by your code. A CVE in a package you import but never exercise on a vulnerable path is far lower priority. Reachability cuts dependency noise dramatically by separating “present” from “exploitable.”
SAST (Static Application Security Testing)AppSec feed →
Analysis of source code, without running it, to find security flaws like injection, broken access control or unsafe deserialization. Classic SAST works on a single file or diff; Stateward reasons over the whole codebase — its call graph and trust boundaries — so it catches flaws that only appear across files or branches.
SBOM (Software Bill of Materials)Supply chain feed →
A machine-readable inventory of every component and dependency in a piece of software, including transitive ones. Regulations like the US Executive Order 14028 and the EU Cyber Resilience Act increasingly require one, because you cannot defend a supply chain you cannot enumerate.
SCA (Software Composition Analysis)Supply chain feed →
Inventorying your open-source dependencies and matching them against known vulnerabilities (CVEs), license risk and maintainer risk. Good SCA matches the exact installed version and tells you whether the vulnerable code is actually reachable, instead of alerting on every transitive package.
Secret scanningSecrets feed →
Detecting credentials — API keys, tokens, private keys, database URLs — committed into source control. The fix is never just deleting the line: a leaked secret in git history is compromised and must be rotated. Stateward scans every diff at the commit, before the secret reaches a shared branch.
Source map exposure (source map disclosure)AppSec feed →
Shipping a JavaScript source map (.map) to production, or inside a published package, so anyone can download your original source. Bundlers embed the full code in the map’s sourcesContent field, so an exposed map leaks unminified code, internal comments, hidden API endpoints and any compiled-in secrets — Apple’s App Store front-end and Anthropic’s Claude Code both shipped one by accident. Stateward detects it (CWE-540) in the pull request: a committed .map artifact, a sourceMappingURL left in a shipped bundle, or a build config that emits production maps (Vite, webpack, Next.js, Create React App, Vue, Rollup) — so it never reaches production.
SQL injectionAppSec feed →
Inserting attacker-controlled input into a database query so it changes the query’s meaning, letting an attacker read, modify or destroy data. The fix is parameterized queries (bound parameters), never string concatenation. It is CWE-89 and a perennial OWASP Top 10 entry.
SSRF (Server-Side Request Forgery)AppSec feed →
Tricking a server into making requests on the attacker’s behalf — often to internal services or cloud metadata endpoints it would never expose externally. SSRF was central to the Capital One breach. Defences include allowlisting destinations and blocking access to link-local and internal address ranges.
Supply-chain attackSupply chain feed →
Compromising software by attacking something it depends on — a popular npm package, a build tool, a CI runner — rather than the target directly. One poisoned dependency reaches every project that installs it, which is why incidents like event-stream, SolarWinds and the xz backdoor were so damaging.
TyposquattingSupply chain feed →
Publishing a malicious package under a name that resembles a popular one (reqeusts vs requests, lodahs vs lodash) to catch typos and copy-paste mistakes. The malware usually runs on install. Stateward flags dependencies whose names are suspiciously close to well-known packages.
Zero-dayKnown-exploited feed →
A vulnerability that is exploited before the vendor has a patch — defenders have “zero days” to fix it. Zero-days are why a live, known-exploited feed matters: the window between disclosure and weaponization is often hours.

See these flaws caught on a real pull request

See a sample findingBrowse the threat feed →