The US cybersecurity agency analyzed popular open-source projects and found that many widely used projects still contain a lot of unsafe code.