The source code must contain functions, methods or fragments of code with a ciclomatic complexity (McCabe) lower than 20.
The use of McCabe ciclomatic complexity helps to measure how complex a source code is regardless of the programming language. This software metric is based on graph theory. When the code has a high level of complexity, it will be harder to analyze, understand and maintain, therefore, the time and effort needed to find and fix vulnerabilities will increase substantially.
This requirement is verified in following services:
- CWE-1120. Excessive code complexity
- CWE-1121. Excessive McCabe cyclomatic complexity
- MITRE ATT&CK®-M1013. Application developer guidance
- NIST SSDF-PW_5_1. Archive and protect each software release