- ALM used: Azure DevOps
- CI system used: Azure DevOps
- Languages of the repository: TypeScript (Angular)
The problem
We noticed that since a couple month the SonarCloud analysis of our frontend project takes a lot of time (around 25-30 minutes). Looking at the logs, it appears that this is caused by the JsSecuritySensor
:
17:55:30.832 INFO: Sensor JsSecuritySensor [security] (done) | time=1424049ms
As interesting as those rules are, I would like to disable them on feature branches, and only enable them on Pull Requests and long-lived branches like develop
and master
(we’re using a GitFlow strategy). Adding 20+ minutes to the analysis of every commit is unacceptable.
What I tried
Disabling the rules in the UI
I tried to disable one of those rules (S3649) using the SonarCloud web UI (Ignore Issues on Multiple Criteria), but it didn’t work, I can still see the rule being executed. Also, it does not meet the “disable only on feature branches” criteria.
Disabling the rules in the config file
I tried to disable the rules through my sonar config file, which would meet the “disable only on feature branches” criteria but isn’t officially supported. It didn’t work either, the rule was still running.
#############################################
# Disable some security rules we don't need #
#############################################
sonar.issue.ignore.multicriteria=e1,e2,e3,e4,e5,e6
# The frontend never accesses databases directly
################################################
# Database queries should not be vulnerable to injection attacks
sonar.issue.ignore.multicriteria.e1.ruleKey=jssecurity:S3649
sonar.issue.ignore.multicriteria.e1.resourceKey=**/*
sonar.issue.ignore.multicriteria.e2.ruleKey=pythonsecurity:S3649
sonar.issue.ignore.multicriteria.e2.resourceKey=**/*
sonar.issue.ignore.multicriteria.e3.ruleKey=roslyn.sonaranalyzer.security.cs:S3649
sonar.issue.ignore.multicriteria.e3.resourceKey=**/*
sonar.issue.ignore.multicriteria.e4.ruleKey=javasecurity:S3649
sonar.issue.ignore.multicriteria.e4.resourceKey=**/*
sonar.issue.ignore.multicriteria.e5.ruleKey=tssecurity:S3649
sonar.issue.ignore.multicriteria.e5.resourceKey=**/*
sonar.issue.ignore.multicriteria.e6.ruleKey=phpsecurity:S3649
sonar.issue.ignore.multicriteria.e6.resourceKey=**/*
As you can see, there are multiple S3649
rules, so I disabled them all just to be sure. But regardless, the rule was still executed.
Here’s why I believe the rule was still running despite the tries above:
17:34:05.060 INFO: rule: S3649, entrypoints: 686
17:34:05.060 DEBUG: Running rule jssecurity:S3649
17:34:05.061 INFO: Running symbolic analysis
17:34:05.063 DEBUG: Resource file jssecurity/sanitizers/S3649.json was not read
17:34:05.063 DEBUG: loaded 3 sanitizers for rule S3649
17:34:05.063 DEBUG: Resource file jssecurity/passthroughs/common.json was not read
17:34:05.064 DEBUG: Resource file jssecurity/passthroughs/S3649.json was not read
17:34:05.064 DEBUG: loaded 0 passthroughs for rule S3649
17:34:05.064 DEBUG: Resource file jssecurity/collectionHandlers/common.json was not read
17:34:05.064 DEBUG: Resource file jssecurity/collectionHandlers/S3649.json was not read
17:34:05.064 DEBUG: loaded 0 collectionHandlers for rule S3649
17:34:05.065 DEBUG: Resource file jssecurity/encoders/common.json was not read
17:34:05.065 DEBUG: Resource file jssecurity/encoders/S3649.json was not read
17:34:05.065 DEBUG: loaded 0 encoders for rule S3649
17:34:05.065 DEBUG: Resource file jssecurity/decoders/common.json was not read
17:34:05.065 DEBUG: Resource file jssecurity/decoders/S3649.json was not read
17:34:05.065 DEBUG: loaded 0 decoders for rule S3649
17:35:03.013 INFO: rule: S3649 done
So basically, is there a simple way (or any way) to disable evey JsSecuritySensor
rules while we’re on feature branches, and enable those rules during Pull Requests and on long-lived branches?