The study measured the Chrome software architecture in terms of traditional software metrics; source lines of code (SLOC), cyclomatic complexity (MCCABE), commenting ratio (COMMR), and the amount of activity (CHURN) spent in each file to fix “regular” defects (not vulnerabilities). They also calculated the different coupling measures; direct (DFI & DFO), indirect (IndFI & IndFO), and cyclic (CYCLIC). All metrics and the architecture visualization (Fig. 2) were derived using a commercial analysis tool from Silverthread3 and each metric is explained in section III. All variables are measured as positive integers, except COMMR which is a positive rational number and CYCLIC which is a binary (1/0) number
From the table, we can see that CHURN is highly correlated with source lines of code (SLOC), cyclomatic complexity (MCCABE), and direct fan-out (DFO). That is, files that are associated with many changes in general (excluding vulnerability bug changes) also have more source lines of code, higher cyclomatic complexity, and a higher number of direct fan-out dependencies. Further, we see that all of our software metrics, including the different types of coupling, are significantly correlated with vulnerability bug files (VULN). Namely, files that have been changed a lot, that have a low comment ratio, many source lines of code, high cyclomatic complexity, and high coupling are all associated with vulnerability bugs
In a paper “AN APPROACH TO EVALUATE QUALITY OF WEBSITE STRUCTURE” by Sreedhar , Chari , Venkata & Ramana, path length metrics are used to evaluate average number of clicks to get desired web page and web site structural complexity is determined with cyclomatic complexity. The quality of web site structure is measured in 10point scale and scale is formulated by considering various levels of website tree structure. The status of web site structure is determined in 10 point scale and the value suggests the improvement of the site structure.
Evaluating Path length metric: A path length is used to find average number of
clicks per page. The path length of the tree is the sum of the depths of
all nodes in the tree. It can be computed as a weighted sum, weighting each level with its number of nodes or each node by its level using equation (1). The average number of clicks is computed using equation (2). The width of a tree is the size of its largest level and the height of a tree is the length of its longest root path.
David Wheeler for the Institute for Defense Analysis has applied the McCabe Cyclomatic Complexity to WordPress plugins
Content management systems (CMS) WordPress, Joomla!, and Drupal are widely used, and all have had many vulnerabilities identified (especially when their plug-ins are included).24 However, these CMSs have a number of developers behind them, who already look for and attempt to counter vulnerabilities. They could do better, but at least there is typically progress in those areas; our concern for now is those projects that are relatively inactive and thus are unlikely to improve over time. Some CMS plug-ins are widely used yet are inadequately audited; we are not looking at such plug-ins at this time, but they would be good candidates for future investigation.
The authors rank various projects by comparing values to ideal values, (e.g., the ideal candidate for the Excellent Analyzability quality attribute should have a McCabe Cyclomatic number equal to 4, an average function’s number of statements equal to 10, a comments frequency equal to 0.5, and average “size of statements” equal to 2).