Code Quality (non-security)

Non-security signals: high cognitive complexity, deeply nested control flow, and other maintainability issues. Surfaced because they correlate with bugs, not because they are themselves a security risk. Routed to a separate bucket so the OWASP rollup is not polluted by code-quality noise.

What Vulkro detects

Vulkro's complexity analyzer (security::complexity) scores every parseable function using G. Ann Campbell's cognitive-complexity metric and emits Medium / High findings above the configured thresholds. These findings are explicitly NOT classified under any OWASP category.

See also

• Confidence model - what High, Medium, and Low mean for findings in this category.
• Safety - what Vulkro does and does not access on your machine.

References

• Cognitive Complexity (SonarSource)

---

This page is generated by vulkro rules export <out-dir> from the catalog in src/rule_docs.rs. Edits made by hand are overwritten on the next regeneration.