Know what your licenses oblige before someone else tells you
License risk is silent until a customer audit, an acquisition, or an upset maintainer makes it loud. SecuDep classifies the licenses across your dependency graph, including the messy cases, and turns your license policy into an enforceable build gate.
Where license risk hides
Transitive surprises
The license you accepted is rarely the problem; it is the dependency four levels down with different terms.
The messy cases
Dual licensing, compound expressions, and vendored code with its own notices defeat naive classifiers.
Deal-time discovery
License questions surface hardest during customer audits and M&A due diligence, when fixing them is most expensive.
How SecuNexa answers it
SPDX-aware classification
Licenses resolved across the full graph, including compound expressions and vendored notices, with evidence per component.
Policy as a gate
Define allowed and disallowed licenses per project; violations fail builds or surface for review before they ship.
Evidence on demand
License inventories ride with the SBOM, ready for counsel, customers, or an acquirer’s data room.
Frequently asked questions
Can it distinguish a vendored copy with its own license?
Yes. Vendored code and its notices are classified separately from the parent package, which is exactly where naive tools mislabel.
Is this legal advice?
No. It is accurate classification and evidence for your counsel to act on. What your policy permits remains a legal decision.
See how this works in an environment like yours.
Request a demo