Sonarqube 8.6 - now 8.8.0.42792 developer license - same problem.
Azure task 4.20.0,
SonarScanner for MSBuild 5.2.1
java version “11.0.10” 2021-01-19 LTS
Node.js v14.15.4
PostgreSQL 13.1 / Driver 42.2.19
Error observed
We are using he analysis on pull request and with exact the same code the analysis is taking much longer than before. we are not sure what happened and there was no manual update on the task nor on the build agents.
The only thing that we could imagine is that the task on azure devops was updated, but when comparing them, we see no difference.
What else should we check? Is there some logs or cache causing this problem?
Last analysis on 02.05: INFO: Sensor CSharpSecuritySensor [security] (done) | time=181201ms
Hi,
no it stated happening from one day of the other with 8.6. We 've upgraded to 8.8 to see if it helps.
Now we have a workaround by disabling:
• S2076 - OS commands should not be vulnerable to injection attacks 15
• S2078 - LDAP queries should not be vulnerable to injection attacks 6
• S2083 - I/O function calls should not be vulnerable to path injection attacks 8
• S2091 - XPath expressions should not be vulnerable to injection attacks 1
• S2631 - Regular expressions should not be vulnerable to Denial of Service attacks 5
• S3649 - SQL queries should not be vulnerable to injection attacks 11
• S5144 - Server-side requests should not be vulnerable to forging attacks
It’s back to under 5 min.
But we would like to re-enable them soon.
Cheers,
Marco
Hello @mlop3s - did you notice any change in terms of LOCs, or number of issues since this change? Or any other visible changes in terms of measures inside SQ for your project?
It would help us to see the verbose logs
please run SonarScanner.MSBuild.exe begin /k:“MyProject” /d:sonar.verbose=true as the begin step, and please attach the output of the BEGIN and END steps (in your Azure Devops task add the /d:sonar.verbose=true parameter to the Prepare Analysis task)