Determine the security risk of using Open source projects
Visit the Java Open Review, an open source project sponsored by Fortify Software which uses Fortify SCA tools and Findbugs to look for defects in software – as a service. It publishes aggregated statistics but has a "responsible disclosure policy", which means details of bugs found are fed back only to the authors.
The project on going basis analyses some common open source projects and other applications, including Hibernate, Struts, Spring, Apache frameworks and Tomcat then publishes list of defect free projects from quality & security perspective.
Using Defect free project list, consumers can gauge the level of risk involved in different open source components.