They just released a report “Exploring Memory Safety in
Critical Open Source Projects” and explicitly called out Graphviz as one of the systems they used to perform the analysis.
We evaluated multiple source code dependency analysis tools
and primarily used ItDepends, ScanCode Toolkit, CMake,
and —for visualization-- Graphviz.
No, they did not include Graphviz in the list of “Critical Open Source Projects”.