Java Scan - slow performance caused by JavaSecuritySensor / "security" - disable?

We’re using 10.3 Enterprise. Our largest java app (775k LOC, Spring Boot 3 API, JDK 17) takes over 30min to scan and 1/3rd of the time is JavaSecuritySensor (2nd place: dbd, of course).

I attempted to disable with <sonar.internal.analysis.security>false</sonar.internal.analysis.security> but it had no effect. We’re using Maven to scan. Other Sonar options set in the pom.xml are working.

As for general performance boosts, I’ve also lowered Java scan settings for the Project in Sonar UI. Plus set this in the pom, <sonar.java.experimental.batchModeSizeInKB>1024</sonar.java.experimental.batchModeSizeInKB>.

Advice?

Hi,

Are you seeing these timings during PR analysis or during full branch analysis?

Because PR analysis should be pretty speedy since it’s limited to only the files that changed. I wouldn’t try to disable any of the sensors. But if you feel you really must, then the way to do this is to remove the relevant rules from your profile. Once they’re all turned off, that will keep the sensor from running.

 
HTH,
Ann

They are both the same speed, and the PR scan appears to be setup correctly for doing a subset of work.

Darn, that’s too bad we have to deactivate each rule to skip the entire group, unlike scans like ‘dbd’.

Hi,

Has the underlying branch been analyzed? Can you share your analysis log?

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

 
Ann