Setup details from /api/system/info
"System": {
"Version": "10.6.0.92116",
"Edition": "Enterprise",
"Container": true,
"High Availability": false,
"Official Distribution": true,
"Force authentication": true,
"Home Dir": "/opt/sonarqube",
"Data Dir": "/opt/sonarqube/data",
"Temp Dir": "/opt/sonarqube/temp",
"Processors": 4
},
"Bundled": {
"cayc": "2.3.0.1782 [Clean as You Code]",
"iac": "1.31.0.10579 [IaC Code Quality and Security]",
"plsql": "3.13.0.6725 [PL/SQL Code Quality and Security]",
"sonarscala": "1.15.0.4655 [Scala Code Quality and Security]",
"csharp": "9.27.0.93347 [C# Code Quality and Security]",
"jcl": "1.2.0.1148 [JCL Code Quality]",
"security": "10.6.0.31509 [Vulnerability Analysis]",
"java": "8.0.1.36337 [Java Code Quality and Security]",
"web": "3.16.0.5274 [HTML Code Quality and Security]",
"flex": "2.12.0.4568 [Flex Code Quality and Security]",
"xml": "2.10.0.4108 [XML Code Quality and Security]",
"text": "2.12.1.2905 [Text Code Quality and Security]",
"vbnet": "9.27.0.93347 [VB.NET Code Quality and Security]",
"swift": "4.12.0.7262 [Swift Code Quality and Security]",
"cpp": "6.56.0.72172 [CFamily Code Quality and Security]",
"python": "4.19.0.15616 [Python Code Quality and Security]",
"dbdpythonfrontend": "1.28.0.9315 [Dataflow Bug Detection Rules for Python]",
"dbd": "1.28.0.9315 [Dataflow Bug Detection]",
"go": "1.15.0.4655 [Go Code Quality and Security]",
"jacoco": "1.3.0.1538 [JaCoCo]",
"kotlin": "2.20.0.4382 [Kotlin Code Quality and Security]",
"rpg": "3.9.0.5001 [RPG Code Quality]",
"dbdjavafrontend": "1.28.0.9315 [Dataflow Bug Detection Rules for Java]",
"pli": "1.15.0.4810 [PL/I Code Quality and Security]",
"tsql": "1.13.0.7207 [T-SQL Code Quality and Security]",
"vb": "2.13.0.5130 [VB6 Code Quality and Security]",
"sonarapex": "1.15.0.4655 [Apex Code Quality and Security]",
"javascript": "10.14.0.26080 [JavaScript/TypeScript/CSS Code Quality and Security]",
"ruby": "1.15.0.4655 [Ruby Code Quality and Security]",
"securitycsharpfrontend": "10.6.0.31509 [Vulnerability Rules for C#]",
"securityjavafrontend": "10.6.0.31509 [Vulnerability Rules for Java]",
"textenterprise": "2.12.1.2905 [Text Code Quality and Security]",
"cfamilydependencies": "6.56.0.72172 [CFamily dependencies provider]",
"securityjsfrontend": "10.6.0.31509 [Vulnerability Rules for JS]",
"cobol": "5.7.0.8061 [COBOL Code Quality]",
"securitypythonfrontend": "10.6.0.31509 [Vulnerability Rules for Python]",
"php": "3.36.0.11813 [PHP Code Quality and Security]",
"abap": "3.14.0.5470 [ABAP Code Quality and Security]",
"securityphpfrontend": "10.6.0.31509 [Vulnerability Rules for PHP]",
"javasymbolicexecution": "8.0.1.36337 [Java Advanced Code Quality Analyzer]"
}
Hello,
I am looking into the JavaSecurityScanner and I can see that “reporting issues” takes quite some time. Is this amount of time expected? Should it be faster?
Log
2024-09-13T09:40:32.850+0200 [INFO] [org.sonarqube.gradle.SonarTask] java security sensor: Time spent was 00:00:53.088
2024-09-13T09:40:32.851+0200 [INFO] [org.sonarqube.gradle.SonarTask] java security sensor: Begin: 2024-09-13T07:39:39.761786696Z, End: 2024-09-13T07:40:32.850700940Z, Duration: 00:00:53.088
Load type hierarchy and UCFGs: Begin: 2024-09-13T07:39:39.763110340Z, End: 2024-09-13T07:39:44.334987057Z, Duration: 00:00:04.571
Load type hierarchy: Begin: 2024-09-13T07:39:39.763158076Z, End: 2024-09-13T07:39:40.345554645Z, Duration: 00:00:00.582
Load UCFGs: Begin: 2024-09-13T07:39:40.345842950Z, End: 2024-09-13T07:39:44.334863522Z, Duration: 00:00:03.989
Check cache: Begin: 2024-09-13T07:39:44.335029977Z, End: 2024-09-13T07:39:44.335250500Z, Duration: 00:00:00.000
Load cache: Begin: 2024-09-13T07:39:44.335044407Z, End: 2024-09-13T07:39:44.335083030Z, Duration: 00:00:00.000
Create runtime call graph: Begin: 2024-09-13T07:39:44.335301729Z, End: 2024-09-13T07:39:50.268536465Z, Duration: 00:00:05.933
Variable Type Analysis #1: Begin: 2024-09-13T07:39:44.335818953Z, End: 2024-09-13T07:39:47.681329088Z, Duration: 00:00:03.345
Create runtime type propagation graph: Begin: 2024-09-13T07:39:44.336466358Z, End: 2024-09-13T07:39:46.580191232Z, Duration: 00:00:02.243
Run SCC (Tarjan) on 400112 nodes: Begin: 2024-09-13T07:39:46.581489237Z, End: 2024-09-13T07:39:46.965751206Z, Duration: 00:00:00.384
Propagate runtime types to strongly connected components: Begin: 2024-09-13T07:39:46.965920801Z, End: 2024-09-13T07:39:47.681175904Z, Duration: 00:00:00.715
Variable Type Analysis #2: Begin: 2024-09-13T07:39:47.684247375Z, End: 2024-09-13T07:39:50.233662126Z, Duration: 00:00:02.549
Create runtime type propagation graph: Begin: 2024-09-13T07:39:47.684294867Z, End: 2024-09-13T07:39:49.374612387Z, Duration: 00:00:01.690
Run SCC (Tarjan) on 399188 nodes: Begin: 2024-09-13T07:39:49.374748509Z, End: 2024-09-13T07:39:49.694508567Z, Duration: 00:00:00.319
Propagate runtime types to strongly connected components: Begin: 2024-09-13T07:39:49.694658235Z, End: 2024-09-13T07:39:50.233571297Z, Duration: 00:00:00.538
Load config: Begin: 2024-09-13T07:39:50.268640994Z, End: 2024-09-13T07:39:50.816760922Z, Duration: 00:00:00.548
Compute entry points: Begin: 2024-09-13T07:39:50.816840860Z, End: 2024-09-13T07:40:02.980222954Z, Duration: 00:00:12.163
Slice call graph: Begin: 2024-09-13T07:40:02.980521816Z, End: 2024-09-13T07:40:03.067095711Z, Duration: 00:00:00.086
Live variable analysis: Begin: 2024-09-13T07:40:03.067219799Z, End: 2024-09-13T07:40:03.290954154Z, Duration: 00:00:00.223
Taint analysis for java: Begin: 2024-09-13T07:40:03.291250558Z, End: 2024-09-13T07:40:04.281557254Z, Duration: 00:00:00.990
Report issues: Begin: 2024-09-13T07:40:04.281620911Z, End: 2024-09-13T07:40:32.272425028Z, Duration: 00:00:27.990
Store cache: Begin: 2024-09-13T07:40:32.272528626Z, End: 2024-09-13T07:40:32.848858072Z, Duration: 00:00:00.576
2024-09-13T09:40:32.851+0200 [INFO] [org.sonarqube.gradle.SonarTask] java security sensor peak memory: 5976 MB
2024-09-13T09:40:32.851+0200 [DEBUG] [org.sonarqube.gradle.SonarTask] Debug information:
Merging block summaries: Invocations: 11867, Total: 00:00:00.032, Average: 00:00:00.000, Min: 00:00:00.000, Max: 00:00:00.000
Merging generic summary data: Invocations: 11867, Total: 00:00:00.008, Average: 00:00:00.000, Min: 00:00:00.000, Max: 00:00:00.000
Merging variable flows: Invocations: 11867, Total: 00:00:00.017, Average: 00:00:00.000, Min: 00:00:00.000, Max: 00:00:00.000
Apply callee summaries: Invocations: 10624, Total: 00:00:00.299, Average: 00:00:00.000, Min: 00:00:00.000, Max: 00:00:00.007
Clone callee summaries: Invocations: 10624, Total: 00:00:00.104, Average: 00:00:00.000, Min: 00:00:00.000, Max: 00:00:00.007
Apply field writes: Invocations: 10624, Total: 00:00:00.067, Average: 00:00:00.000, Min: 00:00:00.000, Max: 00:00:00.001
Apply array writes: Invocations: 10624, Total: 00:00:00.021, Average: 00:00:00.000, Min: 00:00:00.000, Max: 00:00:00.000
Apply parameter by reference writes: Invocations: 10624, Total: 00:00:00.001, Average: 00:00:00.000, Min: 00:00:00.000, Max: 00:00:00.000
Assigning return values: Invocations: 10549, Total: 00:00:00.078, Average: 00:00:00.000, Min: 00:00:00.000, Max: 00:00:00.001
Processing uncalled functions: Invocations: 75, Total: 00:00:00.018, Average: 00:00:00.000, Min: 00:00:00.000, Max: 00:00:00.002
2024-09-13T09:40:32.851+0200 [INFO] [org.sonarqube.gradle.SonarTask] Sensor JavaSecuritySensor [security] (done) | time=53117ms```
→ Report Issues takes half the time with 27 seconds.
Also, the log output is talking about caching. Is there something that can be configured? Where is this cache located for the JavaSecurityScanner?
Note: Not sure if I should have split the threads of just posted in one but as it affects a different scanner, I’ve opted to separate them. If preferred, the discussion can also be combined. See: JavaBugs [dbd] duration (slow?)
Thanks,
Patrick