I'm trying to find as many as possible the open source project repos for future vulnerability research. While playing with the NVD feed data, I found some of the CVE descriptions contains filename or even function name of the source code that has caused the vulnerability, does it mean the projects are open sourced?
Meanwhile, is there any better way or data source that could help me actually get the referred projects repos? (e.g. CVE-2018-13305 --> FFmpeg)
The short answer to your first question is no. The NVD data is based on the CVE record from MiTRE. Once MiTRE has released the details of the CVE, details as submitted by the CVE requester or the CNA, NVD will then perform additional analysis.
If the CVE requester/CNA provides details such as filename/function, then it will be in the CVE record, or if the NVD is able to determine those details from publicly available sources, then they may add it to their analysis. That said, you'll find it extremely rare that closed-source CVEs have that type of detail.
So while the fact that the CVE description contains filenames or functions is a good indicator that the software in question is open source, it is not a rule.
The answer to your second question is no. Well, there are ways, but that's far too broad of a question to address here.