Hello @anon67236913,
Thanks for the feedback and the push of the “Scanner for Jenkins” ticket (it got lost in our backlog, incorrectly not tagged with the “performance” tag ).
Our current plans to make performance better are:
- analyze only the changed files in a PR so you don’t need to re-analyze all the LOCs of your repo for each PR - this will come first on SonarCloud and will be gradually ported to SonarQube
- allow each analyzer to benefit from all the Cores of your CPUs: today it’s useless to have a monster machine with a lot of Cores, SonarSource Analyzers use only one
- this is already possible for CFamily languages (Multithreaded Code Scan) and DotNet (Improving Performance)
Also, just in case here are some recommendations to get the best performance available as of now:
- make sure you run the scan on a Linux machine: you can get up to 50% improv. compared to a Windows box
- if you have no choice and must use a Windows build agent, deactivate Windows Defender on that machine while running the scan
- run the scan with JDK11+ (better perf compared to JDK8)
- run the latest version of SonarQube (9.1+), especially if you are running a Commercial Edition, we did huge improvements on SQ DE+ on the security taint analyzer.
Alex