Audit required: Use of insecure `eval()` function foundPHP-A1000Syntax errorPHP-E1111Invalid use of `implements` keywordPHP-W1008Call with inconsistent number of parametersPHP-W1025Undefined function call detectedPHP-E1000Exception being raised is not from a valid exception classPHP-E1001Method is called but not definedPHP-E1002Invalid static method call detectedPHP-E1003Missing return statement in method/functionPHP-E1004Invalid use of class method overridingPHP-E1005Invalid typehint detected in arrow functionPHP-T1000Literal array with empty item(s)PHP-W1001Use of an empty `[]` to read from an arrayPHP-W1002Use of deprecated `(unset)` castPHP-W1003Bad class attribute(s)PHP-W1004Invalid usage of class constant fetch expressionPHP-W1006Duplicate declaration foundPHP-W1007Interface doesn't inherit from another interfacePHP-W1009Invalid use of `extends` keywordPHP-W1010Invalid use of `use`PHP-W1011Invalid property promotionPHP-W1013Invalid attribute classPHP-W1015Trait as attribute is not allowedPHP-W1016Function call parameters are inconsistentPHP-W1020`break` / `continue` used outside of a loopPHP-W1027Abstract method found outside of an abstract classPHP-W1030Undefined static properties must not be accessedPHP-W1034Undefined constants must not be usedPHP-W1038Detected use of `@` to suppress errorsPHP-W1078Attribute class cannot target class constantsPHP-W1005Access to an undefined static propertyPHP-E1007Audit required: Presence of debug function foundPHP-A1012Audit required: Use of an insecure cipherPHP-A1007Audit required: Include statements might be vulnerable to injection attacksPHP-A1001Audit required: SQL query might be vulnerable to injection attacksPHP-A1002Audit required: Sensitive cookie without `HttpOnly` attributePHP-A1003Audit required: Use of an insecure hashing functionPHP-A1004Audit required: Sensitive cookie without `secure` attributePHP-A1005Directory created with insecure permissionsPHP-A1006Manual generation of session ID detectedPHP-A1008Audit required: Function may be vulnerable to arbitrary commands executionPHP-A1009Audit required: Entity substitution can be vulnerable to XXE attacksPHP-A1010Found class constants inside a traitPHP-E1113`switch` statement contains multiple `default` casesPHP-E1114Invalid `options` array while creating a cookiePHP-E1116Abstract method has definitionPHP-E1118Use of compute intensive function in loop conditionPHP-P1000Use of duplicate type in Union types detectedPHP-T1005Use of nullable `mixed` is forbiddenPHP-T1006Nested function declaration is discouragedPHP-W1023Invalid typehint detected in functionPHP-W1029`echo` called with an invalid valuePHP-W1041Type casting is not validPHP-W1042`print` called with a value which isn't a `string`PHP-W1044Audit required: Insecure use of loggerPHP-A1011Class constants don't comply with PSR standardsPHP-C1000Invalid use of increment/decrement operatorsPHP-E1006Array contains duplicate keysPHP-W1000Undefined properties must not be accessedPHP-W1033`use` statement has no effectPHP-W1069Dead code found after `return`PHP-W1074Variable assigned to itselfPHP-W1077Parameter with a default value is not lastPHP-W1079Variable is used but not definedPHP-W1066Class method doesn't comply with PSR standardsPHP-C1001Invalid type used inside string literalPHP-W1043Use of deprecated `libxml_disable_entity_loader()`PHP-W1086Visibility should be explicitly declaredPHP-W1088Function comparison is always positivePHP-W1089Useless post increment/decrementPHP-W1090Missing native return type declaration for closure/anonymous functionPHP-T1003Unused private class property foundPHP-W1075Unused private class method foundPHP-W1076Invalid class instantiationPHP-W1012Invalid assignmentPHP-W1032`throw` expression used in PHP < 8.0PHP-W1017Invalid return typehint for functionPHP-T1002Unsafe usage of `new static()`PHP-W1014Invalid arrow functionPHP-W1018Invalid return typehint for closurePHP-T1001Abstract method defined in a non-abstract classPHP-E1115Unused variable in the closure `use`PHP-W1039Unused constructor parameterPHP-W1037Bad argument passed to `isset`PHP-W1040Typed property accessed before initializationPHP-E1008Class used with `instanceof` is not of valid typePHP-E1009`nullsafe` returned by referencePHP-W1019Invalid closure attributePHP-W1021Attribute class can not be used with functionPHP-W1022Attribute class can not be used with parameter/propertyPHP-W1024`nullsafe` expression returned by referencePHP-W1026Attribute class can not be used with methodPHP-W1031Attribute class can not be used with propertyPHP-W1035Useless `unset` callPHP-W1036Inaccessible propertyPHP-W1067Empty function/method foundPHP-W1080Empty block of code foundPHP-W1085Defining case-insensitive constants is deprecatedPHP-W1083Use of nested `switch` statements foundPHP-W1091`match` expression is returning `void`PHP-W1045Unknown magic method detectedPHP-W1081`final` keyword is redundantPHP-W1082Use of deprecated filter constantPHP-W1084`string` casting in concatenation is redundantPHP-W1087Missing class doc commentPHP-D1001Missing function/class method doc commentPHP-D1002Use of `FIXME`/`XXX`/`TODO` encounteredPHP-W1073Class property provided with an invalid typePHP-T1004Unresolvable use statementPHP-W1068`compact()` called with undefined variablesPHP-W1070Invalid regex pattern foundPHP-W1071Invalid symbol in group `use` statementPHP-W1072Consider using `func_num_args`PHP-P1001Function with cyclomatic complexity higher than threshold foundPHP-R1006
PHP logoPHP/
PHP-R1006

Function with cyclomatic complexity higher than threshold foundPHP-R1006

Minor severityMinor
Anti-pattern categoryAnti-pattern

A function with high cyclomatic complexity can be hard to understand and maintain. Cyclomatic complexity is a software metric that measures the number of independent paths through a function. A higher cyclomatic complexity indicates that the function has more decision points and is more complex.

Functions with high cyclomatic complexity are more likely to have bugs and be harder to test. They may lead to reduced code maintainability and increased development time.

To reduce the cyclomatic complexity of a function, you can:

  • Break the function into smaller, more manageable functions.
  • Refactor complex logic into separate functions or classes.
  • Avoid multiple return paths and deeply nested control expressions.

Bad practice

function fizzbuzz(string $file) { // Complexity 1
    if ($file === null) return; // +1
    $max = 0;
    try {
        $input = file_get_contents($file);
        $max = intval($input);
    } catch (e) { // +1
        return;
    }

    if ($max < 0 || $max === 0 || $max === null) return; // +3

    $i = 0;
    while ($i < $max) { // +1
        switch ($i % 15) {
            case 0: // +1
                print "fizzbuzz";
                break;
            case 3:
            case 6:
            case 9:
            case 12: // +4
                print "fizz";
                break;
            case 5:
            case 10: // +2
                print "buzz";
                break;
            default: print $i;
        };
        $i += 1;
    }
}

function get_max_from_file(string $file): ?int {
    if ($file === null) return null; // +1
    $max = 0;
    try {
        $input = file_get_contents($file);
        $max = intval($input);
    } catch (e) { // +1
        return null;
    }

    if ($max <== 0) return null; // +1
    return $max;
}

function fizzbuzz(string $file) { // Complexity 1
    $max = get_max_from_file($file) ?? return;
    $i = 0;
    while ($i < $max) { // +1
        $divby3 = $i % 3 == 0;
        $divby5 = $i % 5 == 0;

        if ($divby3 && $divby5) print "fizzbuzz"; // +2
        else if ($divby3) print "fizz"; // +1
        else if ($divby5) print "buzz"; // +1
        else print $i;

        $i += 1;
    }
}

Issue configuration

Cyclomatic complexity threshold can be configured using the cyclomatic_complexity_threshold meta field in your repository's .deepsource.toml config file.

Configuring this issue is optional. If you don't provide a value, the PHP analyzer will raise issues for functions with complexity higher than the default threshold, which is 15 (Medium) for PHP.

Here's a mapping of risk category to cyclomatic complexity score to help you configure this better:

Risk categoryCyclomatic complexity rangeRecommended action
low1-5No action needed.
medium6-15Review and monitor.
high16-25Review and refactor. It is recommended to add explanatory comments if the function absolutely cannot be changed.
very-high26-50Refactor to reduce the complexity.
critical>50The function must be refactored. Such high complexity can harm testability and readability.