Structured vulnerabilty research of Wordpress

I thought that I should get more structured in my vulnerability research of Wordpress, and I thought that I should start off by sorting out how the code is tied together. After Google’ing and asking around a bit I was directed to a blog entry about KCacheGrind. That made me remember that GraphViz is a pretty neat tool to generate graphs of stuff, the problem is how to generate the code the GraphViz expects. After some more Google’ing I found a tool called codegraph, which seems to fit the critera.
After installing codegraph (and it’s dependencies) I ran it like this:

$ cd /path/to/wordpress/src/
$ codegraph -F “*.php */*.php */*/*.php */*/*/*.php” -S wordpress-2_0_1.svg

Which generated an 1.9 Mb SVG file with the relationship between the different pieces of code. After loading the SVG file into InkScape I quickly located what appeared to be dead (unused) code. But tracking down the relationships using the SVG format isn’t really optimal. It’s great for an overview, but unless you have a 2 meter wide plotter to print it out on it isn’t that much of use (except it looks kinda cool).

What I really need is something that generates me documentation of who depends on a particular function and what that function depends on in return (parent and child dependencies). It would be really cool if it also did document what parameters the said function supports. Unfortunatly codegraph doesn’t support that so I am still hunting for software that allows me to do that. If you know any such software do please let me know by leaving a comment.