Analysis takes a long time to finish

sonarcloud
security
(Shravanipandarmish Gep) #1

Hi Dinesh,

our build is also failing for the same reasons. we have disabled above mentioned policies and it is still the same. And also we need to enable those policies back as we need vulnerability scan.

15.txt (23.0 KB)

Suddenly analysis takes a long time to finish
(Nicolas Peru) #2

There is a lot of ongoing improvement on the engine running security rules (which is the culprit for the performance issue you are reporting). It should be deployed soon on SonarCloud. In the meantime a workaround is to deactivate the rule.

In order for us to investigate this more deeply owuld you be able to share with us (privately ) the content of the ucfg_cs2 folder ?

Thanks in advance for your help.

(Shravanipandarmish Gep) #3

can you please give your mail ID to forward the logs.

(Shravanipandarmish Gep) #4

Hi Nicolas,

Can you please share your email address to share ucfg_cs2 logs.

(Nicolas Peru) #5

I just sent you a private message.
You should be able to attach a zip of those file in this private message.

(Nicolas Peru) #6

Hi, thanks for sharing those ucfgs. I just run that with the version currently in development which already include quite some improvements and it ran smoothly in 2 minutes.
So you’ll have to be patient and wait for this version (7.8) to be rolled out to Sonarcloud. In the meantime, as a workaround, you could deactivate the culprit rule to have an analysis that finishes (rule S5144 is causing trouble to your project)

1 Like
(Shravanipandarmish Gep) #7

Hi,
Seems like it is disabled from beginning but we are still facing the issue.Could you please suggest.

(Andrei Epure) #8

Hi @shravanipandarmish-g . Are you using the SonarWay Quality Profile (the built-in, default one) or a custom Quality Profile?

Could you tell us how many vulnerability rules are enabled on your quality profile? Could you post here a screenshot of the Quality Profile rules summary, like the one I posted below (as an example)?
image

thanks!

(Shravanipandarmish Gep) #9

Hi Andrei, yes we are using the default one for our quality profile as of now.

(Andrei Epure) #10

ok, @shravanipandarmish-g , we are making progress here. The idea is that the default QP contains some special rules which could be, in some edge cases, computationally expensive.

This is why my colleague asked you to deactivate rule S5144 which is slowing your analysis.

Given that you are using SonarWay, it means that S5144 is activated by default

Please read the documentation for Quality Profiles

You can read this tutorial on creating a custom Quality Profile based on the default one (SonarWay), then you must deactivate the rule S5144, and then making this new QP the default one (the tutorial is made for SonarQube :sonarqube: , but the steps are the same for SonarCloud :sonarcloud: ). Then you’ll need to run the analysis again, and you should not have the performance problem anymore.

1 Like
(Shravanipandarmish Gep) #11

This is what I see for the rule. It does’nt show de-activate option for me.

the other option you would suggest us to make our custom quality profile to avoid this long running of run code analysis.

Thank You.

(Andrei Epure) #12

Are you talking about rule S5144 “Server-side requests should not be vulnerable to forging attacks” ?

This is activated by default in SonarWay, and you should disable it in your custom quality profile.

(Shravanipandarmish Gep) #13

Andrei, can you suggest how to de-activate.
it is not showing us the option to de-activate as you can see in the screenshot provided by me earlier. We are assuming it is de-activated already which is why that option is not visible.

(G Ann Campbell) #14

Hi,

Your first step will be to create a custom profile, I’ll call it ‘J2’. Then you can copy the rules from Sonar way to J2. Then it’s time to deactivate S5144 from J2.

 
HTH,
Ann

1 Like