Modelling Risks in Open Source Software Component Selection