HardcodedIpAddress scan takes long in sonarqube 8.9

• sonarqube version: 8.9.0.43852
• scanner: sonar-scanner-msbuild-5.2.1.31210-net46
• c# analyzer plugin version: 8.22.0.31243

Trying to address the scan duration that has spiked from 22 minutes in sonarqube version 7.9.5 to over an hour in 8.9

Investigated the following,

The overall scan duration is 1 hour and 8 minutes on sonarqube 8.9
The rule HardcodedIpAddress takes about 50 minutes
2949.974 79 SonarAnalyzer.Rules.CSharp.HardcodedIpAddress

But when I deactivate (Using hardcoded IP addresses is security-sensitive) rule on sonarqube 8.9 then the overall scan duration comes down to the 20 minute range.

while the same overall scan takes 22 minutes on sonarqube 7.9.5. with the same rule enabled.
The same rule takes about 4 secs
4.208 <1 SonarAnalyzer.Rules.CSharp.HardcodedIpAddress

Please help me address what this issue is and how can it be fixed.

I m attaching the following 3 verbose logs as sonar-scan.zip

7.9.5.log (22 minutes)
8.9-acitve-HardcodedIpAddress.log (50 minutes)
8.9-deactivated-HardcodedIpAddress.log (22 minutes)
SonarQubeAnalysisConfig.xml

scan-logs.zip (2.2 MB)

Hi @shimuel ,

Thank you for reporting this. There’s nothing you can currently do about it, except disabling the rule.

I’ve created this ticket for the issue that we should work on soon.

Pavel

Hi @shimuel ,

Does your project have something specific about string literals? For example having a lot of them, or having a lot of them with specific pattern that might be similar to (any kind of) IP address?

@Pavel_Mikula I can get back to you on this with more details but the simple answer could be yes.

Thank you

Hi @shimuel ,

it seems to me that I was able to find the bottleneck and I want you to confirm something to me if that’s possible. Could you please tell me whether your source contains dictionaries with string literals? Thank you in advance!