Analysis cache - some scanners require parsing

Hello,
We are trying to speed up the analysis on Pull Requests and hoped that the analysis cache would help, however analysis times seem to be identical compared to non-branch analysis.
According to the logs some checks seem to require parsing of the .java sources:

[2025-12-01T07:09:10.327Z] [INFO] The Java analyzer is running in a context where unchanged files can be skipped. Full analysis is performed for changed files, optimized analysis for unchanged files.
[2025-12-01T07:09:10.327Z] [DEBUG] 'com/company/Whatever.java' generated metadata with charset 'UTF-8'
[2025-12-01T07:09:10.327Z] [DEBUG] Scanners that require parsing of com/company/Whatever.java: [com.sonarsource.dbd.frontend.java.rules.ClassCastCheck@52f242d0, com.sonarsource.dbd.frontend.java.rules.ExceptionReachabilityCheck@52ba6912, com.sonarsource.dbd.frontend.java.rules.InfiniteRecursionCheck@d0f11ce, com.sonarsource.dbd.frontend.java.rules.UnsupportedMethodCheck@6d9f2787, com.sonarsource.dbd.frontend.java.rules.CollectionModifiedDuringIterationCheck@121e5557, com.sonarsource.dbd.frontend.java.rules.JavaIndexErrorCheck@27ce8d44]
[2025-12-01T07:09:10.328Z] [DEBUG] 'com/company/Whatever.java' generated metadata with charset 'UTF-8'
[2025-12-01T07:09:10.329Z] [DEBUG] Scanners that require parsing of com/company/Whatever.java: [com.sonarsource.dbd.frontend.java.rules.ClassCastCheck@52f242d0, com.sonarsource.dbd.frontend.java.rules.ExceptionReachabilityCheck@52ba6912, com.sonarsource.dbd.frontend.java.rules.InfiniteRecursionCheck@d0f11ce, com.sonarsource.dbd.frontend.java.rules.UnsupportedMethodCheck@6d9f2787, com.sonarsource.dbd.frontend.java.rules.CollectionModifiedDuringIterationCheck@121e5557, com.sonarsource.dbd.frontend.java.rules.JavaIndexErrorCheck@27ce8d44]
[2025-12-01T07:09:10.329Z] [DEBUG] 'com/company/Whatever.java' generated metadata with charset 'UTF-8'
[2025-12-01T07:09:10.330Z] [DEBUG] No cached UCFGs found, file will need to be parsed.
[2025-12-01T07:09:10.330Z] [DEBUG] Scanners that require parsing of com/company/Whatever.java: [com.sonarsource.dbd.frontend.java.rules.ClassCastCheck@52f242d0, com.sonarsource.dbd.frontend.java.rules.ExceptionReachabilityCheck@52ba6912, com.sonarsource.dbd.frontend.java.rules.InfiniteRecursionCheck@d0f11ce, com.sonarsource.dbd.frontend.java.rules.UnsupportedMethodCheck@6d9f2787, com.sonarsource.dbd.frontend.java.rules.CollectionModifiedDuringIterationCheck@121e5557, com.sonarsource.dbd.frontend.java.rules.JavaIndexErrorCheck@27ce8d44, com.sonar.security.frontend.java.rules.ReflectedXssCheck@365d5b7e, com.sonar.security.frontend.java.rules.SQLInjectionCheck@4a736bcb, com.sonar.security.frontend.java.rules.OSCommandInjectionCheck@3a005d37, com.sonar.security.frontend.java.rules.OSArgumentInjectionCheck@7107f4c0, com.sonar.security.frontend.java.rules.XPathInjectionCheck@6a9fb8c, com.sonar.security.frontend.java.rules.LDAPInjectionCheck@4956f632, com.sonar.security.frontend.java.rules.RegularExpressionDoSCheck@4ab148cb, com.sonar.security.frontend.java.rules.FilePathInjectionCheck@7ac79576, com.sonar.security.frontend.java.rules.DeserializationCheck@5359e941, com.sonar.security.frontend.java.rules.ServerSideRequestCheck@7dc54847, com.sonar.security.frontend.java.rules.A@2650356, com.sonar.security.frontend.java.rules.LoggingInjectionCheck@6b7c548f, com.sonar.security.frontend.java.rules.HttpRedirectionCheck@40871bbb, com.sonar.security.frontend.java.rules.DynamicCodeExecutionCheck@5aa2d60d, com.sonar.security.frontend.java.rules.ZipSlipCheck@555ee2b0, com.sonar.security.frontend.java.rules.SessionFixationCheck@45e14a9, com.sonar.security.frontend.java.rules.OSArgumentConstructionCheck@3479b0df, com.sonar.security.frontend.java.rules.IntentRedirectionCheck@4252f4c1, com.sonar.security.frontend.java.rules.ReflectionInjectionCheck@54adf3f0, com.sonar.security.frontend.java.rules.NoSQLInjectionCheck@3b584cdb, com.sonar.security.frontend.java.rules.XMLOperationsCheck@8c04f97, com.sonar.security.frontend.java.rules.JSONOperationsCheck@5fac6e2d, com.sonar.security.frontend.java.rules.ThreadSuspensionDoSCheck@1da38f48, com.sonar.security.frontend.java.rules.FileSystemOracleCheck@1b4197f8, com.sonar.security.frontend.java.rules.OSEnvironmentVariablesCheck@571f2823, com.sonar.security.frontend.java.rules.ApiTraversalCheck@6425245b, com.sonar.security.frontend.java.rules.PromptInjectionCheck@707704e6, com.sonar.security.frontend.java.rules.CrossApplicationAttackCheck@7692a9ae, com.sonar.security.frontend.java.rules.SensitiveInformationDisclosureCheck@f83d564]

Is it expected that some checks (such as com.sonarsource.dbd.frontend.java.rules.ClassCastCheck) do not allow cached analysis data?

This happens on sonarqube Enterprise Edition v2025.5 (113872) and we’re migrating from Community Build v25.11.0.114957

Hey @gtoison ,

We have the same issue, we posted about it here. But we never found a solution. The last thing we tried was to disable all the dbd rules but never managed to do it.

Hope this post will be successfull

Hi,

Can you add -Dsonar.verbose=true to your analysis command and post the analysis log, please?

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

 
Thx,
Ann

Hi Ann,
I have shared the full verbose log privately with Sylvain Combe,
Guillaume

Hi,

Then I’ll let him pursue this.

 
Ann