McCabe Cyclomatic Analysis of Google Chrome

Exploring the relationship between architecture coupling and software vulnerabilities A Google Chrome case study investigates the relationship between software vulnerabilities and component metrics like code churn and cyclomatic complexity, as well as architecture coupling metrics direct, indirect, and cyclic coupling.

The study measured the Chrome software architecture in terms of traditional software metrics; source lines of code (SLOC), cyclomatic complexity (MCCABE), commenting ratio (COMMR), and the amount of activity (CHURN) spent in each file to fix “regular” defects (not vulnerabilities). They also calculated the different coupling measures; direct (DFI & DFO), indirect (IndFI & IndFO), and cyclic (CYCLIC). All metrics and the architecture visualization (Fig. 2) were derived using a commercial analysis tool from Silverthread3 and each metric is explained in section III. All variables are measured as positive integers, except COMMR which is a positive rational number and CYCLIC which is a binary (1/0) number

From the table, we can see that CHURN is highly correlated with source lines of code (SLOC), cyclomatic complexity (MCCABE), and direct fan-out (DFO). That is, files that are associated with many changes in general (excluding vulnerability bug changes) also have more source lines of code, higher cyclomatic complexity, and a higher number of direct fan-out dependencies. Further, we see that all of our software metrics, including the different types of coupling, are significantly correlated with vulnerability bug files (VULN). Namely, files that have been changed a lot, that have a low comment ratio, many source lines of code, high cyclomatic complexity, and high coupling are all associated with vulnerability bugs

Advertisement

Cyclomatic Path length of website structures

In a paper “AN APPROACH TO EVALUATE QUALITY OF WEBSITE STRUCTURE” by Sreedhar , Chari , Venkata & Ramana, path length metrics are used to evaluate average number of clicks to get desired web page and web site structural complexity is determined with cyclomatic complexity. The quality of web site structure is measured in 10point scale and scale is formulated by considering various levels of website tree structure. The status of web site structure is determined in 10 point scale and the value suggests the improvement of the site structure.

Evaluating Path length metric: A path length is used to find average number of
clicks per page. The path length of the tree is the sum of the depths of
all nodes in the tree. It can be computed as a weighted sum, weighting each level with its number of nodes or each node by its level using equation (1). The average number of clicks is computed using equation (2). The width of a tree is the size of its largest level and the height of a tree is the length of its longest root path.

Cyclomatic Complexity of Javascript steadily rising

 

In his paper “How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security,” Ben Stock, Martin Johns, Marius Steffens, and Michael Backes at USENIX Security 2017 CISPA point out the insecurity of Javascript complexity

Cyclomatic Complexity Metrics for Mozilla

There is an interesting study correlating complexity metrics with churn and  vulnerabilities in Mozilla in the paper “A New Approach for Predicting Security Vulnerability Severity in Attack Prone Software Using Architecture and Repository Mined Change Metrics” By Daniel D. Hein

The Study lists Firefox maximum cyclomatic complexity metrics and vulnerabilities by version.

McCabe Cyclomatic analysis of WordPress Plugins

David Wheeler for the Institute for Defense Analysis has applied the McCabe Cyclomatic Complexity to WordPress plugins

Content management systems (CMS) WordPress, Joomla!, and Drupal are widely used, and all have had many vulnerabilities identified (especially when their plug-ins are included).24 However, these CMSs have a number of developers behind them, who already look for and attempt to counter vulnerabilities. They could do better, but at least there is typically progress in those areas; our concern for now is those projects that are relatively inactive and thus are unlikely to improve over time. Some CMS plug-ins are widely used yet are inadequately audited; we are not looking at such plug-ins at this time, but they would be good candidates for future investigation.

The authors rank various projects by comparing values to ideal values, (e.g., the ideal candidate for the Excellent Analyzability quality attribute should have a McCabe Cyclomatic number equal to 4, an average function’s number of statements equal to 10, a comments frequency equal to 0.5, and average “size of statements” equal to 2).

Open Source Software Projects Needing Security Investments