1st step is analyzing for history of code quality using static analysis tool. Has a serious bug been fixed with the minor version up? When major version up is made, how many new serious bugs increase this OSS?
This analysis cannot be based on the number of bug fix. It need to use a static analysis tool to analyze the unfixed bugs.
Focusing point:
- Which tool is trusted in the world?
- Which tools can accurately detect bugs? (code analysis only, excluding CVE check)
- Which tools can accurately detect known defects (CVE)?
Example : https://scan.coverity.com/projects
→ would need FOSS ??