Open-source software is widely used by developers and businesses, but assessing its security posture is challenging due to the lack of time and specialized expertise. Existing visual security analysis tools for open-source projects primarily focus on vulnerabilities within the source code, lacking a comprehensive assessment of the project’s overall security posture. To address these issues, we propose a multi-dimensional visual analytics tool for evaluating the security posture of open-source projects. Our tool integrates data from code commits, contributor activity, and historical vulnerability duration, providing a comprehensive view of project security.

Our tool integrates data from multiple sources, including the National Vulnerability Database (NVD) and GitHub commit histories, and applies the SZZ algorithm to identify both vulnerability-fixing and inducing commits. We tested the dashboard on two popular GitHub projects, each containing thousands of commits and hundreds of vulnerabilities, allowing users to easily track development and vulnerability management within each project. An evaluation study with experienced developers confirmed the dashboard’s effectiveness in helping users quickly understand developer interactions and the project’s overall approach to security management. Our contributions include a comprehensive vulnerability dataset and a visual dashboard that offers a multi-dimensional perspective on open-source project security, meeting the needs of various stakeholders.