Improve sonarscan time on python and java monolith repos

Hello @anon67236913,

Thanks for the feedback and the push of the “Scanner for Jenkins” ticket (it got lost in our backlog, incorrectly not tagged with the “performance” tag :frowning: ).

Our current plans to make performance better are:

  • analyze only the changed files in a PR so you don’t need to re-analyze all the LOCs of your repo for each PR - this will come first on SonarCloud and will be gradually ported to SonarQube
  • allow each analyzer to benefit from all the Cores of your CPUs: today it’s useless to have a monster machine with a lot of Cores, SonarSource Analyzers use only one

Also, just in case here are some recommendations to get the best performance available as of now:

  • make sure you run the scan on a Linux machine: you can get up to 50% improv. compared to a Windows box
  • if you have no choice and must use a Windows build agent, deactivate Windows Defender on that machine while running the scan
  • run the scan with JDK11+ (better perf compared to JDK8)
  • run the latest version of SonarQube (9.1+), especially if you are running a Commercial Edition, we did huge improvements on SQ DE+ on the security taint analyzer.

Alex