Lab 03: Complexity Analysis
| Duration | Level | Prerequisites |
|---|---|---|
| 30 min | Intermediate | Lab 02 |
Learning Objectives
- Understand cyclomatic complexity (CCN) and why it matters
- Run Lizard to measure function-level complexity
- Interpret CCN scores, function length, and parameter counts
- Convert Lizard output to SARIF format using
lizard-to-sarif.py - Identify functions that exceed complexity thresholds
Prerequisites
- Completed Lab 02: Linting
- Lizard installed (
pip install lizard)
Exercises
Exercise 1: Understand Cyclomatic Complexity
Cyclomatic complexity (CCN) measures the number of independent execution paths through a function. Higher CCN means more paths to test, harder-to-understand code, and higher defect probability.
| CCN Range | Risk Level | Action |
|---|---|---|
| 1–5 | Low | Simple, easy to test |
| 6–10 | Moderate | Acceptable, consider refactoring |
| 11–20 | High | Should be refactored — CI warning |
| 21+ | Very High | Must be refactored — CI error |
The workshop uses a threshold of 10 for the CI quality gate.
Exercise 2: Run Lizard Across All Apps
Working Directory: Run the following commands from the
code-quality-scan-demo-apprepository root.
Run Lizard across all demo apps to get a summary:
lizard cq-demo-app-001/src cq-demo-app-002/src cq-demo-app-003/src cq-demo-app-004/src cq-demo-app-005/ --CCN 10
Lizard outputs a table with these columns:
| Column | Description |
|---|---|
| NLOC | Non-comment Lines of Code |
| CCN | Cyclomatic Complexity Number |
| Token | Token count |
| PARAM | Number of parameters |
| Length | Total function length in lines |
| Location | File path and function name |
Exercise 3: Generate CSV Output
Generate CSV output for programmatic processing:
lizard cq-demo-app-001/src cq-demo-app-002/src cq-demo-app-003/src cq-demo-app-004/src cq-demo-app-005/ --csv > lizard-output.csv
View the first few lines of the CSV:
Get-Content lizard-output.csv | Select-Object -First 15
The CSV contains one row per function with columns: NLOC, CCN, Token, PARAM, Length, Location, File, Function, Start, End.
Exercise 4: Convert to SARIF Format
Use the lizard-to-sarif.py converter to transform Lizard CSV output into SARIF:
python src/converters/lizard-to-sarif.py --input lizard-output.csv --output complexity.sarif --ccn-threshold 10 --length-threshold 50
The converter creates a SARIF result for each function that exceeds either threshold:
- CCN > 10: Flagged as a complexity violation
- Length > 50 lines: Flagged as a function length violation
Examine the generated SARIF:
Get-Content complexity.sarif | ConvertFrom-Json | Select-Object -ExpandProperty runs | Select-Object -ExpandProperty results | Select-Object ruleId, level, @{N='function';E={$_.locations[0].physicalLocation.artifactLocation.uri}} | Format-Table
Exercise 5: Identify High-Complexity Functions
Filter for functions that exceed the CCN threshold:
lizard cq-demo-app-001/src cq-demo-app-002/src cq-demo-app-003/src cq-demo-app-004/src cq-demo-app-005/ --CCN 10 --warnings_only
For each flagged function, note:
- Which function has high complexity
- What causes it — nested
if/else,switchstatements, loops within loops - How to fix it — extract helper functions, use early returns, replace conditionals with lookup tables
Exercise 6: Analyze Nesting Depth
Look at the highest-complexity functions and identify nesting patterns:
lizard cq-demo-app-001/src cq-demo-app-002/src --CCN 15 --warnings_only -L 100
Common causes of high complexity:
| Pattern | CCN Impact | Refactoring Strategy |
|---|---|---|
Nested if/else chains | +1 per branch | Extract to guard clauses with early returns |
switch with many cases | +1 per case | Use lookup table / dictionary |
| Loop + conditional | Multiplicative | Extract inner logic to a function |
| Try/catch with retry | +2–3 | Extract retry logic to utility |
Verification Checkpoint
Verify your work before continuing:
- Lizard ran successfully across all 5 demo apps
- You generated
lizard-output.csvwith function-level metrics - You converted the CSV to
complexity.sarifusinglizard-to-sarif.py - You identified at least 3 functions with CCN > 10
- You understand the difference between CCN and function length
Summary
Cyclomatic complexity analysis with Lizard provides function-level quality metrics that complement lint findings. High-CCN functions are harder to test, more error-prone, and difficult to maintain. By converting Lizard output to SARIF, you can track complexity trends alongside lint and coverage findings in a unified dashboard.
The workshop threshold of CCN ≤ 10 aligns with industry best practices. Functions exceeding this threshold should be refactored by extracting helper functions, using early returns, and replacing complex conditionals with lookup patterns.
Next Steps
Proceed to Lab 04: Duplication Detection.