GC overhead limit exceeded

I am using VSTS, Sonarcloud. I have reviewed the responses to others on this topic, and tried to adjust the parameters using different values. Also tried multiple exclusions. Any help appreciated.


Additional properties that will be passed to the scanner,

Put one key=value per line, example:


SONAR_SCANNER_OPTS=-Xmx8512m -Xms8512m -XX:MaxPermSize=1024m / sonar.ce.javaOpts =-Xmx8512m -Xms512m -XX:MaxPermSize=1024m / sonar.search.javaOpts =-Xmx8512m -Xms8512m -XX:MaxPermSize=1024m
sonar.exclusions=/*.bin,/.java,/plugins// ,/bootstrap.css,/bootstrap.js,/bootstrap//, **/jquery-ui.js, /jquery-1.10.2.js, /jquery.js,/jquery//,/jsplumb.js,/jquery.js, /fabric.js,/pdfmake.js,/inputmask.js,/xlsx.js, /datatables.js,


SonarCloudLog.txt (85.5 KB)


This is due to rule S5131 which is triggering our vulnerability analyzer.
In order to investigate this issue, could you try to share (privately if needed) what is in the directory : INFO: Reading UCFGs from: D:\a\1\.sonarqube\out\ucfg_cs2

In the meantime, as a workaround, you can deactivate the rules in the repository “Security SonarAnalyzer C#” (key roslyn.sonaranalyzer.security.cs)

Hi Nicolas… Many thanks for your response. We are on sonarcloud, so I am unable to provide what you request. I guess this is a bug, and my only option is to deactivate the rule. Is there a sonarcloud setting I could send you in place of the folder contents you request ?


The files I am requesting should be available from the scanner you are running the analysis. I read you are using VSTS, can you have an access to the folder where the analysis is running to get your hand on those files ?

by the way, do you encounter this on a public or private project ? (if public, maybe you can share a link to the project ?)

Hello Nicolas… I reran it with that rule disabled… and now I am getting " Java heap space" error. I have attached the log.SonarCloudLog2.txt (85.7 KB)

I am wondering if perhaps I should change some of the settings as described above.

Many thanks for your ongoing help.


Update: I was able to get it to work by disabling these rules: S1544, S2083, S2091, S5131. What is the cost of losing these rules and what can be done to reenable them.