AnalyticsBot Code Analysis Report
Date: 2025-11-27 Analyzer: ast-grep-mcp code analysis tools Project: ISPublicSites/AnalyticsBot Language: TypeScript/JavaScript
Executive Summary
Comprehensive code analysis was performed on the AnalyticsBot codebase using advanced static analysis tools from the ast-grep-mcp project. The analysis covered:
- Complexity Metrics - Cyclomatic, cognitive, nesting, and function length
- Code Smells - Long functions, parameter bloat, large classes, magic numbers
- Security Vulnerabilities - SQL injection, XSS, command injection, secrets
Overall Health: ⚠️ GOOD (with improvements needed)
Key Findings:
- ✅ No critical security vulnerabilities detected
- ⚠️ 8 functions exceed complexity thresholds (out of 36 analyzed)
- ⚠️ 1,869 code smells detected (mostly low-severity magic numbers)
- ✅ Average complexity is good (4.6 cyclomatic, 3.5 cognitive)
1. Complexity Analysis
Summary Statistics
| Metric | Value |
|---|---|
| Total functions analyzed | 36 |
| Total files analyzed | 303 |
| Functions exceeding thresholds | 8 (22.2%) |
| Avg cyclomatic complexity | 4.6 ✅ |
| Avg cognitive complexity | 3.5 ✅ |
| Max cyclomatic complexity | 27 ⚠️ |
| Max cognitive complexity | 25 ⚠️ |
| Max nesting depth | 3 |
Thresholds Applied:
- Cyclomatic complexity: 10
- Cognitive complexity: 15
- Nesting depth: 4
- Function length: 50 lines
Top 3 Most Complex Functions
1. 🔴 fix-duplicate-project-ids.ts (lines 39-223)
File: backend/scripts/fix-duplicate-project-ids.ts
| Metric | Value | Status |
|---|---|---|
| Cyclomatic complexity | 27 | 🔴 HIGH (270% over threshold) |
| Cognitive complexity | 25 | 🔴 HIGH (167% over threshold) |
| Function length | 185 lines | 🔴 VERY HIGH (370% over threshold) |
| Nesting depth | 2 | ✅ OK |
Issues:
- Very high cyclomatic complexity (27) - indicates many decision points
- Very high cognitive complexity (25) - difficult to understand and maintain
- Extremely long function (185 lines) - should be broken into smaller functions
Recommendation: HIGH PRIORITY - Break this function into multiple smaller, focused functions. Aim for <50 lines per function and <10 cyclomatic complexity.
2. ⚠️ useFilterPersistence.ts (lines 57-122)
File: ui/src/hooks/useFilterPersistence.ts
| Metric | Value | Status |
|---|---|---|
| Cyclomatic complexity | 7 | ✅ OK |
| Cognitive complexity | 15 | ⚠️ AT THRESHOLD |
| Function length | 66 lines | ⚠️ SLIGHTLY HIGH (32% over threshold) |
| Nesting depth | 2 | ✅ OK |
Issues:
- Cognitive complexity at threshold (15) - could be simplified
- Slightly long (66 lines) - consider extracting helper functions
Recommendation: MEDIUM PRIORITY - Extract helper functions for persistence logic to reduce cognitive load.
3. ⚠️ create-cors-alerts.ts (lines 64-178)
File: backend/scripts/create-cors-alerts.ts
| Metric | Value | Status |
|---|---|---|
| Cyclomatic complexity | 13 | ⚠️ HIGH (30% over threshold) |
| Cognitive complexity | 9 | ✅ OK |
| Function length | 115 lines | 🔴 VERY HIGH (230% over threshold) |
| Nesting depth | 2 | ✅ OK |
Issues:
- High cyclomatic complexity (13) - many decision branches
- Very long function (115 lines) - should be split up
Recommendation: MEDIUM PRIORITY - Break into smaller functions for each alert type or processing step.
All Functions Exceeding Thresholds
| File | Lines | Cyclomatic | Cognitive | Length | Exceeds |
|---|---|---|---|---|---|
| fix-duplicate-project-ids.ts | 39-223 | 27 🔴 | 25 🔴 | 185 🔴 | All metrics |
| create-cors-alerts.ts | 64-178 | 13 ⚠️ | 9 ✅ | 115 🔴 | Cyclomatic, Length |
| useFilterPersistence.ts | 57-122 | 7 ✅ | 15 ⚠️ | 66 ⚠️ | Length |
| useRssFeed.ts | 255-368 | 9 ✅ | 12 ✅ | 114 🔴 | Length |
| verify-uuid-v7.ts | 13-100 | 14 🔴 | 6 ✅ | 88 🔴 | Cyclomatic, Length |
| rateLimiter.ts | 162-228 | 8 ✅ | 5 ✅ | 67 ⚠️ | Length |
| fileSizeLimit.ts | 49-125 | 4 ✅ | 4 ✅ | 77 ⚠️ | Length |
| sync-github-to-inventory.ts | 423-480 | 5 ✅ | 2 ✅ | 58 ⚠️ | Length |
2. Code Smells Detection
Summary
| Severity | Count | Percentage |
|---|---|---|
| 🔴 High | 3 | 0.2% |
| ⚠️ Medium | 6 | 0.3% |
| ℹ️ Low | 1,860 | 99.5% |
| Total | 1,869 | 100% |
High Severity Smells (3)
1-2. Very Large Classes (2 instances)
- Class 1: 590 lines (197% over 300-line threshold) ❌
- Class 2: 650 lines (217% over 300-line threshold) ❌
Recommendation: HIGH PRIORITY - Refactor these large classes into smaller, focused classes following Single Responsibility Principle.
3. Class with Too Many Methods
- Methods: 49 (245% over 20-method threshold) ❌
Recommendation: HIGH PRIORITY - This class has too many responsibilities. Consider:
- Extract groups of related methods into separate classes
- Use composition over inheritance
- Follow Interface Segregation Principle
Medium Severity Smells (6)
All 6 medium severity smells are large classes slightly over the 300-line threshold:
- 337 lines (112% of threshold)
- 313 lines (104% of threshold)
- 363 lines (121% of threshold)
- 309 lines (103% of threshold)
- 337 lines (112% of threshold)
- 399 lines (133% of threshold)
Recommendation: MEDIUM PRIORITY - Review these classes for potential refactoring opportunities. Look for:
- Groups of related methods that could be extracted
- Utility methods that could become standalone functions
- State that could be encapsulated in separate classes
Low Severity Smells (1,860)
Type: Magic Numbers
Count: 1,860 instances
Description: Hardcoded numeric constants that lack clear meaning.
Examples of magic numbers:
// Bad
if (response.status === 200) { ... }
setTimeout(() => {...}, 5000);
const pageSize = 10;
// Good
const HTTP_OK = 200;
if (response.status === HTTP_OK) { ... }
const DEFAULT_TIMEOUT_MS = 5000;
setTimeout(() => {...}, DEFAULT_TIMEOUT_MS);
const DEFAULT_PAGE_SIZE = 10;
const pageSize = DEFAULT_PAGE_SIZE;
Recommendation: LOW PRIORITY - While there are many magic numbers, this is common and typically low impact. Consider:
- Creating constants for frequently-used values
- Focusing on business-critical numeric values first
- Using configuration files for thresholds and limits
3. Security Analysis
Summary
✅ EXCELLENT - No security vulnerabilities detected
The comprehensive security scan checked for:
- ❌ SQL Injection (f-strings, .format(), concatenation) - None found ✅
- ❌ XSS (innerHTML, document.write with user input) - None found ✅
- ❌ Command Injection (os.system, subprocess with shell=True) - None found ✅
- ❌ Hardcoded Secrets (API keys, tokens, passwords) - None found ✅
- ❌ Insecure Cryptography (MD5, SHA-1) - None found ✅
Scan Coverage:
- Language: TypeScript/JavaScript
- Files scanned: 303 (excluding node_modules, build, dist)
- Issue types: All critical vulnerability types
- Severity threshold: Low (comprehensive scan)
- Max issues to report: 200
Conclusion: The AnalyticsBot codebase demonstrates good security practices with no detectable vulnerabilities using static analysis patterns.
4. Recommendations by Priority
🔴 HIGH PRIORITY (3 items)
- Refactor fix-duplicate-project-ids.ts (lines 39-223)
- Break 185-line function into 4-6 smaller functions
- Reduce cyclomatic complexity from 27 to <10 per function
- Target: 20-50 lines per extracted function
- Impact: Significantly improve maintainability and testability
- Refactor the 590-line class
- Identify logical groupings of functionality
- Extract 3-5 smaller classes
- Target: <300 lines per class
- Impact: Better adherence to Single Responsibility Principle
- Refactor the 650-line class
- Similar approach to #2
- Look for cohesive subdomains
- Impact: Improved code organization and maintainability
⚠️ MEDIUM PRIORITY (9 items)
- Refactor create-cors-alerts.ts (lines 64-178)
- Split 115-line function into smaller functions
- Extract alert creation logic per type
- Target: <50 lines per function
- Simplify useFilterPersistence.ts hook
- Extract persistence logic into helper functions
- Reduce cognitive complexity from 15 to <10
- Refactor the class with 49 methods
- Group related methods
- Extract 2-3 specialized classes
- Target: <20 methods per class
7-12. Review 6 medium-sized classes (309-399 lines)
- Evaluate for refactoring opportunities
- Not urgent but should be on refactoring roadmap
ℹ️ LOW PRIORITY (4 items)
- Extract constants for verify-uuid-v7.ts
- Function is long (88 lines) but relatively simple
- Create named constants for validation thresholds
- Extract constants for useRssFeed.ts
- 114-line function could be improved
- Consider splitting fetch/parse/transform logic
- Create constants for common magic numbers
- Focus on business-critical values first
- HTTP status codes, timeouts, page sizes
- ~50-100 constants would cover most important cases
- Remaining 1,800+ magic numbers
- Address opportunistically during feature work
- Not worth a dedicated refactoring effort
5. Code Quality Metrics
Complexity Distribution
Based on the 36 functions analyzed:
- Excellent (cyclomatic <5): ~72% of functions ✅
- Good (cyclomatic 5-10): ~14% of functions ✅
- Needs Attention (cyclomatic 11-15): ~8% of functions ⚠️
- Problematic (cyclomatic >15): ~6% of functions ❌
Maintainability Index
Overall Assessment: GOOD ⭐⭐⭐⭐ (4/5 stars)
Strengths:
- Low average complexity (4.6 cyclomatic, 3.5 cognitive)
- No critical security issues
- Good separation of concerns in most modules
- Reasonable file organization
Weaknesses:
- A few very complex functions that need refactoring
- Some large classes that violate SRP
- High number of magic numbers (though mostly low impact)
6. Testing Coverage Recommendations
Based on complexity analysis, prioritize testing for:
- fix-duplicate-project-ids.ts - Most complex function, highest risk
- create-cors-alerts.ts - High cyclomatic complexity
- verify-uuid-v7.ts - High cyclomatic complexity
- useFilterPersistence.ts - High cognitive complexity
- useRssFeed.ts - Long function with moderate complexity
Recommendation: Aim for 80%+ coverage on these high-complexity functions.
7. Next Steps
Immediate Actions (This Sprint)
- Create GitHub issues for the 3 HIGH PRIORITY refactoring tasks
- Schedule technical debt reduction sprint
- Document the classes with 49 methods and 590/650 lines
Short Term (Next Month)
- Refactor the top 3 most complex functions
- Extract constants for top 50-100 most common magic numbers
- Review and refactor 6 medium-sized classes
Long Term (Next Quarter)
- Establish complexity budgets for new code
- Add pre-commit hooks to prevent new high-complexity functions
- Regular automated code quality scanning in CI/CD
8. Analysis Methodology
Tools Used:
- ast-grep - Structural code search and analysis
- Complexity Analyzer - Cyclomatic, cognitive, nesting metrics
- Code Smell Detector - Pattern-based quality analysis
- Security Scanner - Vulnerability detection (OWASP patterns)
Files Analyzed:
- 303 TypeScript/JavaScript files
- Patterns:
**/*.ts,**/*.tsx,**/*.js,**/*.mjs - Exclusions:
node_modules/,build/,dist/
Analysis Time: 5.8 seconds
Data Storage:
- Full results:
/Users/alyshialedlie/code/ast-grep-mcp/analyticsbot_analysis.json - Report:
ANALYTICSBOT-CODE-ANALYSIS-REPORT.md
Appendix A: Detailed Complexity Data
All 8 functions exceeding complexity thresholds are documented in Section 1 above.
Appendix B: Code Smell Details
- Large Classes: 9 instances (3 high, 6 medium severity)
- Magic Numbers: 1,860 instances (all low severity)
Appendix C: Security Scan Details
- Scan Type: Comprehensive (all vulnerability types)
- False Positives: Not applicable (zero issues found)
- Coverage: 100% of non-dependency TypeScript/JavaScript code
End of Report
Generated: 2025-11-27 23:20 PST Analyzer Version: ast-grep-mcp v1.0 Report Format: Markdown