Microsoft Software Reliability Research released a paper "Mining Metrics to Predict Component Failures", and this paper is useful from a number of different angles. First, as the title says the authors attempt to build a model based on source code metrics that signals fault probability (incidentally their conclusion is no single set of metrics works for all projects -- no surprise there). Secondly, the metrics used to profile the code provide a more in depth view than simply looking at Kloc or function points. Of course you have to have the code.
The paper looks at
· The Arcs and Blocks metrics refer to a function’s control flow graph, which is also the base for computing McCabe’s cyclomatic complexity (separately measured
· The AddrTakenCoupling metric counts the number of instances where the address of some global variable is taken in a function—as in the C++ constructs int
*ref = &globalVar or int& ref =globalVar.
· The ClassCoupling metrics counts the number of classes coupled to a class C. A class is “coupled” to C if it is a type of a class member variable, a function
parameter, or a return type in C; or if it is defined locally in a method body, or if it is an immediate superclass of C. Each class is only counted once.
Module metrics- Classes, Functions, GlobalVariables
Per-function metrics — Lines # executable lines in f(), Parameters # parameters in f(), Arcs # arcs in f()'s control flow graph, Blocks # basic blocks in f()'s control flow, ReadCoupling # global variables read in f(), WriteCoupling # global variables written in f(), AddrTakenCoupling # global variables whose address is taken in f(), ProcCoupling # functions that access a global variable written in f(), FanIn # functions calling f(), FanOut # functions called by f(), Complexity McCabe's cyclomatic complexity
Per-class metrics — ClassMethods # methods in C (private / public /protected), InheritanceDepth # of superclasses of C, ClassCoupling # of classes coupled with C (e.g. as attribute / parameter / return types), SubClasses # of direct subclasses of C
These metrics are well beyond Kloc in depth yet still (given that you have a SCAT) should meet Andrew Jaquith's rule of thumb for metrics:
Be consistently measured. The criteria must be objective and repeatable.
Be cheap to gather. Using automated tools (such as scanning software or
password crackers) helps.
Contain units of measure. Time, dollars or some numerical scale should be included—not just, say, "green," "yellow" or "red" risks.
Be expressed as a number. Give the results as a percentage, ratio or some other kind of actual measurement. Don't give subjective opinions such as "low risk" or "high priority."