Inappropriate coding practices - Cyclomatic complexity
Description
The application has source code with high McCabe cyclomatic complexity, making the code difficult to understand and maintain, promoting the appearance of new security vulnerabilities and hindering their detection and solution.
Impact
Promote the creation of security vulnerabilities
Recommendation
Refactor the complex code by simplifying methods, subroutines or conditionals
Threat
Authenticated attacker from the Internet with write access to the code.
Expected Remediation Time
⌚ 30 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: N
- Attack complexity: H
- Privileges required: H
- User interaction: N
- Scope: U
- Confidentiality: N
- Integrity: L
- Availability: N
Temporal
- Exploit code madurity: P
- Remediation level: X
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:X
- Score:
- Base: 2.2
- Temporal: 2.1
- Severity:
- Base: Low
- Temporal: Low
Code Examples
Compliant code
The application correctly implements coding principles to avoid high cyclomatic complexity within each function or class
public static void main(String[] args) {
try {
if(username.equals(username) && password.equals(password)){
//Code to handle login
}
} catch (InterruptedException e) {
//Code to catch exception when log in is not successful
}
}
Non compliant code
There are functionalities in the code high a cyclomatic complexity higher than recommended values
def thisFunction(**args):
inputs...
try...
if...
if...
for i in...
if...
while...
if...
else if...
else if...
for...
if...
else...
while...
if...
somefunction();
else if...
newfunction();
else if...
catch
if...
Requirements
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.