JsecuritySensor is taking >50minutes

Michael_HART · February 11, 2023, 2:02pm

I am using BitBucket Pipe for sonar-scanner against Sonarcloud

    - step: &Build-step
        image: node:14.18.1
        size: 2x
        caches:
          - node
          - docker
        script:
          - npm rebuild
          - npm install
          - npm run test-coverage
          - pipe: sonarsource/sonarcloud-scan:1.4.0
            variables:
              SONAR_TOKEN: ${SONAR_TOKEN}
              EXTRA_ARGS: '-Dsonar.sources=controllers,utils,schemas,services -Dsonar.test.inclusions=**/tests/** -Dsonar.exclusions=node_modules/** -Dsonar.projectBaseDir=/opt/atlassian/pipelines/agent/build/ -Dsonar.cpd.exclusions=**/* -Dsonar.scm.provider=git -Dsonar.eslint.reportPaths=eslint-report.json -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info'

And this is where it ends up

`INFO: 10:02:32.094159 Building Runtime Type propagation graph`

`INFO: 10:02:32.406955 Running Tarjan on 53819 nodes`

`INFO: 10:02:32.476709 Tarjan found 53805 components`

`INFO: 10:02:32.612284 Variable type analysis: done`

`INFO: 10:02:32.614801 Building Runtime Type propagation graph`

`INFO: 10:02:33.005223 Running Tarjan on 53819 nodes`

`INFO: 10:02:33.056775 Tarjan found 53805 components`

`INFO: 10:02:33.171646 Variable type analysis: done`

`INFO: Analyzing 6114 ucfgs to detect vulnerabilities.`

`INFO: Taint analysis starting. Entrypoints: 364`

`INFO: Running symbolic analysis for 'JS'`

`INFO: High simulation costs for sink in /opt/atlassian/pipelines/agent/build/services/file-service.js:532. Stop analysing this sink.`

`INFO: High simulation costs for sink in /opt/atlassian/pipelines/agent/build/services/document-generator-helper.js:166. Stop analysing this sink.`

`INFO: Taint analysis: done.`

`INFO: Sensor JsSecuritySensor [security] (done) | time=2493189ms`

What does “Stop analysing this sink” and how do I do this? I presume this is the cause.

Michael_HART · February 11, 2023, 5:31pm

Ran in debug and I get alot of these lines:
14:44:19.500 DEBUG: Large history size (346) while concatenating flows.
Also disabled rules which trigger Taint analysis but didn’t seem to help with scan time.
This is a private bitbucket repo so let me know what I should look out for.
update: also added the 2 files to exclusions. Duration came down a couple of minutes but JsSecuritySensor still an issue. I’ve also switched to sonar-scanner since cache isn’t supported in pipes

Michael_HART · February 13, 2023, 3:19pm

I’ve disabled all vulnerability rules and the scan time is 2 minutes. My codebase is 82k lines of code so 50 minutes seems excessive, and I don’t have an alternate solution.

czurn · February 23, 2023, 1:27pm

Hello Michael,

Thanks for reporting this!
Indeed, such an increase in time is definitely excessive.

This is an info message, indicating that the given file has a high impact on the security analysis. It automatically will stop the analysis for this given sink: this is a failsafe to avoid spending too much time on a single method of the project.

We’ve investigated some performance issues recently, and we have identified a bottleneck in the security analysis. We are currently in the process of releasing a new version, which will be deployed on SonarCloud in the coming days.

In case this fix does not solve your problem, would you be willing to share the content of the .sonar analysis folder? That would allow us to investigate precisely what is causing this excessive increase in time for your analysis.

Best,
-Christophe

Michael_HART · March 21, 2023, 10:17am

I’m not comfortable sharing since what we’re analyzing is proprietary
I’ll try again with your new version updates and post here any update