Analysis takes a long time to finish

Hi @Nicolas_Peru,
I checked with the development team, and they mentioned the eCSlogging.parameter is old code, which they used to log calls to functions with for later debugging (it is an old system). It could be ignored, but main question is: would this be the culprit for the performance?
If it helps, I can share (parts of) the code with you for better analysis.

This is very hard to determine as of today.
In a few word, security analysis is modelling memory in order to track value and reassignment and it seems that we spend a lot of CPU time on the datastructure modelling the memory.
I had a closer look and tried to determine which method could be at the origin of taking so much time (and so which method has the most instantiation of objects).

I suspect (and I am really not sure) that this method UserControls_UC_Finance.BuildControls() is triggering quite some computation and I would be interested to see the code of this one (if you can share it privately with me).

Thanks for your help.

Send the files in private. If you want, I can share the latest logging, where the complete analysis takes 28m 39s. If we switch off some of the secure coding rules (as mentioned above in this thread) the analysis time drops to just a few minutes.

PS: In our latest analysis it also reports it cannot find files related to the UC_Finance.ascx file. And lots of ucfgs taking > 120 seconds to complete.

Hi @Nicolas_Peru, have you been able to make any progress on this item?
I can send you more recent details if you want. Current analysis still take about 25 minutes.

@Nicolas_Peru Please indicate if more info is needed. We still see that these rules are really slowing down the analysis (adding like 15 minutes to it).

S2076 - OS commands should not be vulnerable to injection attacks
S2078 - LDAP queries should not be vulnerable to injection attacks
S2083 - I/O function calls should not be vulnerable to path injection attacks
S2091 - XPath expressions should not be vulnerable to injection attacks
S2631 - Regular expressions should not be vulnerable to Denial of Service attacks
S3649 - Database queries should not be vulnerable to injection attacks

S5131 - Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks
S5167 - HTTP response headers should not be vulnerable to injection attacks
S5144 - Server-side requests should not be vulnerable to forging attacks
S5145 - Logging should not be vulnerable to injection attacks
S5146 - HTTP request redirections should not be open to forging attacks

Hi Richard,

just to let you know that we spent the last month working on the performance (cpu time) of our taint analyzer that is bound to be released and deploy on sonarcloud within next week ( :crossed_fingers:) Hopefully it should show some improvements on the time taken to analyze C# projects.

Let us know how it goes.

Thanks again for your help.

1 Like

Hi,
I can confirm it is way quicker now, saves roughly 14 minutes per analysis on our side! 23 min -> 9 min.
Great work done, thanks!

Regards, Richard

4 Likes