C# application scanning took close to 4 to 5 hours to complete - Sonar(Version 7.9.1)

C# application scanning took close to 4 to 5 hours to complete - Sonar(Version 7.9.1)

Can someone please respond on how to reduce the analysis time.

INFO: Sensor CSharpSecuritySensor [security] (done) | time=15127853ms

Please find the stack trace
++++++++++++++++++++++++++++++++++++++++++++++

INFO: Sensor XML Sensor [xml] (done) | time=362197ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=53ms
INFO: ------------- Run sensors on module Com.Emirates.Pss.Ibe.UIPAbstractor
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=13ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=4ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=0ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=5ms
INFO: ------------- Run sensors on module Com.Emirates.Pss.Ibe.UILib
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=15ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=7ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=4ms
INFO: Sensor XML Sensor [xml]
INFO: 1 source files to be analyzed
INFO: 1/1 source files have been analyzed
INFO: Sensor XML Sensor [xml] (done) | time=6635ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=6ms
INFO: ------------- Run sensors on module Microsoft.ApplicationBlocks.Data
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=5ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=1ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=0ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=3ms
INFO: ------------- Run sensors on module Com.Emirates.Pss.Ibe.IntegrationSchema
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=5ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=9ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=1ms
INFO: Sensor XML Sensor [xml]

NFO: Sensor XML Sensor [xml] (done) | time=51625ms
INFO: 43/43 source files have been analyzed
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=32ms
INFO: ------------- Run sensors on module Com.Emirates.Pss.Ibe.ValueObjects
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=48ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=12ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=22ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=37ms
INFO: ------------- Run sensors on module Com.Emirates.Pss.Ibe.ConfigurationManager
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=14ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=0ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=50ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=3ms
INFO: ------------- Run sensors on module Com.Emirates.Pss.Ibe.CommonHelper
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=17ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=1ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=4ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=11ms
INFO: ------------- Run sensors on module Com.Emirates.Pss.Ibe.StateManager
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=4ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=1ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=0ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=3ms
INFO: ------------- Run sensors on module S.A.IBE-DOTNET-OLCIUI
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=0ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=2ms
INFO: Sensor C# [csharp]

INFO: Sensor CSharpSecuritySensor [security] (done) | time=15127853ms
INFO: Sensor PhpSecuritySensor [security]
INFO: Reading type hierarchy from: C:\workspace\S.A.IBE(MPL)\S.A.IBE-DOTNET-OLCIUI.sonarqube\out.sonar\ucfg2\php
INFO: Read 0 type definitions
INFO: Reading UCFGs from: C:\workspace\S.A.IBE(MPL)\S.A.IBE-DOTNET-OLCIUI.sonarqube\out.sonar\ucfg2\php
INFO: No UCFGs have been included for analysis.
INFO: Sensor PhpSecuritySensor [security] (done) | time=21ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=7398ms
INFO: SCM provider for this project is: git
INFO: 747 files to be analyzed

INFO: Sensor C# [csharp] (done) | time=408845ms
INFO: Sensor JavaSecuritySensor [security]
INFO: Reading type hierarchy from: C:\workspace\S.A.IBE(MPL)\S.A.IBE-DOTNET-OLCIUI.sonarqube\out.sonar\ucfg2\java
INFO: Read 0 type definitions
INFO: Reading UCFGs from: C:\workspace\S.A.IBE(MPL)\S.A.IBE-DOTNET-OLCIUI.sonarqube\out.sonar\ucfg2\java
INFO: No UCFGs have been included for analysis.
INFO: Sensor JavaSecuritySensor [security] (done) | time=164ms
INFO: Sensor CSharpSecuritySensor [security]
INFO: Reading type hierarchy from: C:\workspace\S.A.IBE(MPL)\S.A.IBE-DOTNET-OLCIUI.sonarqube\out\ucfg_cs2
INFO: Read 5285 type definitions
INFO: Reading UCFGs from: C:\workspace\S.A.IBE(MPL)\S.A.IBE-DOTNET-OLCIUI.sonarqube\out\ucfg_cs2
INFO: 07:55:29.427 Building Type propagation graph
INFO: 07:55:30.255 Running Tarjan on 66400 nodes
INFO: 07:55:30.912 Tarjan found 66175 components
INFO: 07:55:31.542 Variable type analysis: done
INFO: 07:55:31.623 Building Type propagation graph
INFO: 07:55:32.018 Running Tarjan on 66413 nodes
INFO: 07:55:32.376 Tarjan found 66188 components
INFO: 07:55:32.503 Variable type analysis: done
INFO: Analyzing 7821 ucfgs to detect vulnerabilities.
INFO: All rules entrypoints : 482 Retained UCFGs : 3226
INFO: rule: S5131, entrypoints: 8
INFO: Visited 261 ucfgs in 17359 ms, 65091 steps
INFO: rule: S5131 done
INFO: rule: S3649, entrypoints: 480
INFO: Visited 3221 ucfgs in 4517542 ms, 1130539 steps
INFO: rule: S3649 done
INFO: rule: S2076, entrypoints: 0
INFO: Visited 0 ucfgs in 0 ms, 0 steps

hi @Shahid_Shaik

This is due to the advanced Taint Analysis scan which detects injection security vulnerabilities, following user input from entering the application down to specific “sinks” which are sensitive APIs (like database call, filesystem access, OS command execution etc).

In version 7.9.x we know we have serious performance problems, so I suggest to update to the latest version of SonarQube - 8.2 which has big improvements in this area.

Also, if you cannot update your SQ version, you can disable the injection rules that take a lot of time. From your logs (which I believe are incomplete), I see

INFO: rule: S3649, entrypoints: 480
INFO: Visited 3221 ucfgs in 4517542 ms, 1130539 steps
INFO: rule: S3649 done

Which means S3649 takes 75 minutes to run. So by disabling this rule and the other rules that take a lot of time, the analysis will be faster.

However, our recommendation is to update to the latest SonarQube version so that you can benefit of the injection vulnerability detection rules with decent performance.

1 Like