microsoft / ModSecurity
Conditional Complexity

The distribution of complexity of units (measured with McCabe index).

Intro
  • Conditional complexity (also called cyclomatic complexity) is a term used to measure the complexity of software. The term refers to the number of possible paths through a program function. A higher value ofter means higher maintenance and testing costs (infosecinstitute.com).
  • Conditional complexity is calculated by counting all conditions in the program that can affect the execution path (e.g. if statement, loops, switches, and/or operators, try and catch blocks...).
  • Conditional complexity is measured at the unit level (methods, functions...).
  • Units are classified in four categories based on the measured McCabe index: 1-5 (simple units), 6-10 (medium complex units), 11-25 (complex units), 26+ (very complex units).
Learn more...
Conditional Complexity Overall
  • There are 852 units with 29,436 lines of code in units (46.0% of code).
    • 14 very complex units (4,195 lines of code)
    • 46 complex units (5,375 lines of code)
    • 106 medium complex units (6,499 lines of code)
    • 154 simple units (5,094 lines of code)
    • 532 very simple units (8,273 lines of code)
14% | 18% | 22% | 17% | 28%
Legend:
51+
26-50
11-25
6-10
1-5
Alternative Visuals
Conditional Complexity per Extension
51+
26-50
11-25
6-10
1-5
c15% | 19% | 21% | 16% | 26%
cpp0% | 0% | 33% | 26% | 40%
cc0% | 0% | 54% | 0% | 45%
pl0% | 0% | 16% | 41% | 41%
h0% | 0% | 0% | 0% | 100%
Conditional Complexity per Logical Component
primary logical decomposition
51+
26-50
11-25
6-10
1-5
apache216% | 19% | 20% | 16% | 27%
mlogc0% | 28% | 21% | 36% | 14%
alp20% | 13% | 57% | 19% | 10%
standalone0% | 0% | 38% | 20% | 40%
iis0% | 0% | 37% | 28% | 34%
tools0% | 0% | 16% | 41% | 41%
ext0% | 0% | 0% | 0% | 100%
nginx0% | 0% | 0% | 0% | 100%
validator0% | 0% | 0% | 0% | 100%
Most Complex Units
Top 20 most complex units
Unit# linesMcCabe index# params
int libinjection_sqli_fold()
in apache2/libinjection/libinjection_sqli.c
 360 178 1
void sec_audit_logger_json()
in apache2/msc_logging.c
 612 151 1
void sec_audit_logger_native()
in apache2/msc_logging.c
 549 149 1
int hash_response_body_links()
in apache2/msc_crypt.c
 302 100 1
334 99 2
372 88 2
apr_status_t output_filter()
in apache2/apache2_io.c
 283 84 2
void init_directory_config()
in apache2/apache2_config.c
 93 79 1
int do_hash_method()
in apache2/msc_crypt.c
 279 76 3
278 63 4
246 63 4
int multipart_process_chunk()
in apache2/msc_multipart.c
 166 55 4
142 53 2
static int msre_op_rx_execute()
in apache2/re_operators.c
 179 52 4
int inject_hashed_response_body()
in apache2/msc_crypt.c
 172 49 2
int perform_interception()
in apache2/mod_security2.c
 221 48 1
int normalize_path_inplace()
in apache2/msc_util.c
 98 47 4
apr_status_t modsecurity_tx_init()
in apache2/modsecurity.c
 140 46 1
apr_status_t read_request_body()
in apache2/apache2_io.c
 142 45 2
static int hook_request_late()
in apache2/mod_security2.c
 149 45 1