This is publicly documented here:
https://opensource.google/docs/thirdparty/
This means that dependencies on a third-party library can be found simply by looking at deps lines in BUILD rules. That can then inform which projects you want to run (for example) fuzzers on:
https://opensource.googleblog.com/2016/12/announcing-oss-fuz... https://google.github.io/oss-fuzz/