I was at the OWASP Sweden meeting last night and spoke about Open source and security. One of the other speakers present was Simon Josefsson who in his talk showed a nice table listing functions in his project sorted by “complexity“. Functions above a certain score are then considered “high risk” as they are hard to read and follow and thus may be subject to security problems.
The kind man he is, Simon already shows a page with a Curl Cyclomatic Complexity Report nicely identifying a bunch of functions we should really consider poking at to decrease complexity of. The top-10 “bad” functions are:
| Function | Score | Statements | Lines | Code |
|---|---|---|---|---|
| ssh_statemach_act | 254 | 880 | 1582 | lib/ssh.c |
| Curl_http | 204 | 395 | 886 | lib/http.c |
| readwrite_headers | 129 | 269 | 709 | lib/transfer.c |
| Curl_cookie_add | 118 | 247 | 502 | lib/cookie.c |
| FormAdd | 105 | 210 | 421 | lib/formdata.c |
| dprintf_formatf | 92 | 233 | 395 | lib/mprintf.c |
| multi_runsingle | 94 | 251 | 606 | lib/multi.c |
| Curl_proxyCONNECT | 74 | 212 | 443 | lib/http.c |
| readwrite_data | 73 | 127 | 319 | lib/transfer.c |
| ftp_state_use_port | 60 | 195 | 387 | lib/ftp.c |
I intend to use this as an indication on what functions within libcurl to work on. My plan is to primarily break down each of these functions to smaller ones to make them easier to read and follow. It would be cool to get every single function below 50. But I’m not sure that’s feasible or even really a good idea.