Code Complexity

Posted on


“What gets measured gets managed” is a frequently quoted statement in the business world, although there seems to be some confusion as to who coined the phrase. Regardless, that statement holds true in the business and software world.

But some things are hard to measure, such as ‘team velocity’ (defined as to how much ‘work’ a team can deliver in a specific time slot).  But how do you measure work? Do you base it on how many new lines of code the team writes, how many features they build, or how many story points they deliver in a sprint? Once you define these metrics, teams will quickly game the system to deliver on the metric, which may not be the exact result you were looking for.

Differing Approaches

Software metrics are used in industries where safety and security are critical, like automotive, medical, and industrial software systems. Metrics can be defined and then measured and managed. 

As a first approach, you could measure the number of lines of comments on the piece of code. Well-commented code is easier to maintain, especially in larger teams. Team members may still game the system by adding random and useless comments in the code, but hopefully, these would get removed in some form of code review process.

Code complexity metrics are a particular type of software metric that describes how complex a piece of code is. The more complex a piece of code is, the harder it is to maintain and the more bugs it will typically contain. You’d think code complexity is also easy to measure, but you’d be mistaken.

There are many, many ways to measure code complexity. If you are currently not measuring complexity, then I highly suggest start with one metric, doesn’t matter which specific one, then measure it for a while and use the metric to drive the teams to simplify their code. If you have a customer that requires a specific metric, then use that one.

Static Application Security Testing and Metrics

CodeSonar is a Static Application Security Testing (SAST) platform that provides many metrics out of the box and allows developers to refine and/or define their own. Here are some, but not all, of the metrics that CodeSonar supports, straight from the manual:

  • The usual lines of code, lines with comments, mixed lines, and so forth.
  • Comment density.
  • Cyclomatic complexity, from Watson and McCabe (, counts the number of linearly independent paths through the control flow graph of a function.
  • Modified Cyclomatic Complexity, which takes the earlier metric, but treats ‘switch’ statements as if statements.
  • Taint propagation, which counts how often tainted data is handled in a procedure. Tainted data is data read from outside of the program, which could lead to all types of injection problems.
  • Essential Complexity, which builds on the Cyclomatic Complexity by removing ‘well structured’ primitive constructs.
  • Halstead Metrics, developed by the late Maurice Halstead (, such as volume, programming effort, programming time, intelligent content, program difficulty, program length, and several others.
  • Hersteller Initiative Software (HIS) metrics are described in H. Kuder. HIS source code metrics. Technical Report HIS-SC-Metriken.1.3.1-e, Hersteller Initiative Software, April 2008. Version 1.3.1. This is a popular set of metrics in the automotive industry.
  • Combinations of these metrics are also possible using a powerful expression grammar that can take any of the composite or base metrics and define a new user-defined metric.

These metrics can be reported at the project, file, procedure, and directory level, depending on requirements. CodeSonar calculates these metrics and graphs them over time. CodeSonar also drives warning classes for excessive complexity, which can then be used in CI/CD pipelines to allow or reject code submissions.

Wrap Metrics Into Developer Workflow

So, while there are many different ways to measure code complexity, CodeSonar makes it easy to pick one, or refine one and use it in your secure software development processes. Want to know more of what is possible?

We are always keen to demonstrate how this would work on your project, or a sample open-source piece of software, so please connect with us if you are interested!

Book a Demo

We’re ready to help you integrate SAST and SCA security into your DevSecOps flow. Get a personally guided tour of our solution offerings to ensure you are receiving the right solution for your development team. 

book now