SonarQube Cognitive Complexity: How It Scores and Where It Lies
SonarQube Cognitive Complexity: How It Scores and Where It Lies
The Smell
The logistics platform team added SonarQube to their CI pipeline and set the cognitive complexity threshold to 15. Three months later, eight methods still exceed the threshold. The team added @SuppressWarnings("java:S3776") to each one with a comment: “Too complex to refactor safely.” The metric identified the problem. The team suppressed the measurement instead of addressing the cause.
But there is a subtler failure. Fourteen methods score below 15 and are still hard to read. The metric does not catch them because their complexity comes from naming, not structure. A method with cognitive complexity 8 that uses variable names like data, temp, result, and flag is harder to read than a method with complexity 14 that uses descriptive names. The metric measures structure. It does not measure semantics.
The Cognitive Cost
Developers who rely on cognitive complexity scores without understanding the scoring algorithm make two mistakes. They treat methods below the threshold as readable, and they treat methods above the threshold as equally bad. A method scoring 16 might need one if block extracted. A method scoring 42 needs architectural intervention. The score tells you there is a problem. It does not tell you the shape of the problem.
The Before
// HARD TO READ: Cognitive complexity 26.
// Scoring breakdown:
// +1 for each if/else/for/while/catch
// +1 for each level of nesting beyond the first
// +1 for each break in linear flow (continue, break, return in middle)
public ShipmentRate calculateRate(Shipment shipment, Carrier carrier) {
BigDecimal base = BigDecimal.ZERO;
if (carrier.isActive()) { // +1
if (shipment.isInternational()) { // +2 (nesting)
base = carrier.getInternationalBaseRate();
if (shipment.getWeight() > 50) { // +3 (nesting)
base = base.multiply(HEAVY_MULTIPLIER);
if (carrier.hasHeavyFreightSurcharge()) { // +4 (nesting)
base = base.add(carrier.getHeavyFreightSurcharge());
}
}
for (CustomsFee fee : getCustomsFees(shipment)) { // +3 (nesting)
if (fee.isApplicable(shipment)) { // +4 (nesting)
base = base.add(fee.calculate(shipment));
} else { // +1
log.debug("Fee not applicable: {}", fee);
}
}
} else { // +1
base = carrier.getDomesticBaseRate();
if (shipment.getWeight() > 50) { // +2 (nesting)
base = base.multiply(HEAVY_MULTIPLIER);
}
}
} else { // +1
throw new InactiveCarrierException(carrier.getId());
}
if (base.compareTo(BigDecimal.ZERO) <= 0) { // +1
throw new InvalidRateException(shipment.getId(), carrier.getId());
}
return new ShipmentRate(shipment.getId(), carrier.getId(), base,
shipment.isInternational() ? "INTERNATIONAL" : "DOMESTIC"); // +1
}
// Total cognitive complexity: 26The nesting is the killer. Each level of nesting adds an incremental penalty because the reader must hold the enclosing conditions in working memory while evaluating the nested logic. At four levels deep, the reader is maintaining a mental stack of conditions: “if carrier is active AND shipment is international AND weight is over 50 AND carrier has surcharge.” Four conditions. Four slots of working memory consumed by context, leaving zero for reasoning about the actual calculation.
The Fix
// READABLE: Cognitive complexity 4.
// Guard clause eliminates nesting. Each case is a separate method.
// A reader evaluating international rate logic does not hold domestic logic in memory.
public ShipmentRate calculateRate(Shipment shipment, Carrier carrier) {
if (!carrier.isActive()) {
throw new InactiveCarrierException(carrier.getId()); // +1
}
BigDecimal rate = shipment.isInternational() // +1
? calculateInternationalRate(shipment, carrier)
: calculateDomesticRate(shipment, carrier);
if (rate.compareTo(BigDecimal.ZERO) <= 0) { // +1
throw new InvalidRateException(shipment.getId(), carrier.getId());
}
String rateType = shipment.isInternational() // +1
? "INTERNATIONAL" : "DOMESTIC";
return new ShipmentRate(shipment.getId(), carrier.getId(), rate, rateType);
}
// Total cognitive complexity: 4
private BigDecimal calculateInternationalRate(Shipment shipment, Carrier carrier) {
BigDecimal base = carrier.getInternationalBaseRate();
base = applyWeightSurcharge(base, shipment, carrier);
base = applyCustomsFees(base, shipment);
return base;
}
private BigDecimal calculateDomesticRate(Shipment shipment, Carrier carrier) {
BigDecimal base = carrier.getDomesticBaseRate();
return applyWeightSurcharge(base, shipment, carrier);
}
private BigDecimal applyWeightSurcharge(BigDecimal base, Shipment shipment,
Carrier carrier) {
if (shipment.getWeight() <= 50) {
return base;
}
BigDecimal surchargedBase = base.multiply(HEAVY_MULTIPLIER);
if (carrier.hasHeavyFreightSurcharge()) {
surchargedBase = surchargedBase.add(carrier.getHeavyFreightSurcharge());
}
return surchargedBase;
}The refactored version scores 4 on cognitive complexity. The extracted methods each score below 5. But the real improvement is not the score. It is the working memory reduction. A reader understanding the international rate calculation holds one concept: “start with the base rate, apply weight surcharge, apply customs fees.” They do not hold the domestic logic, the carrier activity check, or the validation logic. Each method fits in working memory independently.
Where the metric lies: the extracted method applyWeightSurcharge has a cognitive complexity of 3. It is straightforward. But if it were named apply, or process, or handle, the cognitive complexity score would be identical. The metric does not know that applyWeightSurcharge tells the reader exactly what it does, while process forces the reader to read the implementation. Naming quality is invisible to the metric. Chapter 3 addresses this gap.
The Rule
Use SonarQube cognitive complexity to find methods above 15, then read each one to diagnose whether the burden is structural (nesting, boolean interaction) or semantic (naming, abstraction leaks). Fix structural problems by reducing nesting depth. Fix semantic problems by renaming and extracting. Never suppress the warning. If the method is too complex to refactor safely, that is the strongest possible argument for refactoring it, not suppressing the measurement.