My project scanning time got increased suddenly with huge time difference

I’m not a Linux admin so I can’t tell you too much more. Are you sharing this SonarQube server with other applications? That is not recommended since SonarQube should have a dedicated resource/machine of its own. You can try SonarQube on its own server and make sure it can upgrade first to confirm that.

Can you find out how many actual files are opened? Make sure to start with a clean “slate” and make sure no other Java/non-essential processes are running before you start: kill -9 $(ps -ef | pgrep -f "java")

@Joe

Thanks for the update, We are using dedicated machine for running sonar.

Before starting this upgrade I have even tried rebooting the machine to make sure all open files are closed.

We used to have 67 open files before I used to start upgrade.

Let me know if you want me to create separate topic?

Thanks,
Sunil Palugula

@Joe I was successfully able to upgrade to latest LTS version after updating to below values.

sysctl -w vm.max_map_count=786432
sysctl -w fs.file-max=262144
ulimit -n 262144
ulimit -u 12288

Thanks,
Sunil Palugula

1 Like

Hi @Palugula_Sunil ,

Sorry for missing your last message. Thanks for letting me know! Glad it finally worked!

Now, please test your project scan on 8.9 LTS and please attach the debug logs from the Sonar scanner and I can check to see what we can do to improve its performance/time.

Joe

Hi @Joe

After upgrade i have scanned our project using non prod sonar server but there seems to be some issue with analysis when compared to our production server. Can you please review the attached log and let us if you notice any issue with scanning.

Note: I have removed all PII from the log attached.

Thanks,
Sunil Palugula

Hi @Palugula_Sunil ,

Thanks for sharing the logs. Here’s my observations:

  • build 17-May-2021 05:38:27 [WARNING] Missing blame information for the following files
    Many files are missing blame information because they were not git committed. Please remove the changes to these files or git commit them.
  • build 17-May-2021 03:32:54 [ERROR] CSS rules were not executed. Error when running: 'node -v'. Is Node.js available during analysis?
    The CSS files were not scanned. Make sure Node.js is available by setting sonar.nodejs.executable to its location. Otherwise, exclude these .css files.
  • build 17-May-2021 04:04:42 [WARNING] Invalid character encountered in file /u01/BambooAWSAgent/xml-data/build-dir/V3SONAR-VSTSONAR-JOB1/benefits/src/com/vitechinc/gcore/documents/services/DocsRpcServiceImpl.java at line 1736 for encoding UTF-8. Please fix file content or configure the encoding to be used using property 'sonar.sourceEncoding'.
    There are several files (just search “Invalid character encountered” in the log) that have bad characters in it. Follow the instruction: either fix the content or configure encoding of the file.
  • build 17-May-2021 03:18:33 [INFO] Quality profile for java: Vitech Quality Profile SecurityHotspot and OWASP - Criticals and Blockers
    What is your quality profile consisting of? Are vulnerability and security hotspot rules removed or which ones do you have activated? Do you mind sharing your quality profile backup file?

Analysis of performance:

  • The majority of time spent on your analysis is in 2 sensors/analyzers:
    • Sensor JavaSquidSensor
      This sensor is comprised of the “Java Main Files AST Scan”. This is the majority of your time is spent in “V3 Product” module. You should review exclusions/inclusions for all your modules and make sure only the files you need are scanned. Also check the [INFO] Slowest analyzed files: lines in the logs that show you which file had the longest analysis time and check which issues/rules were active in that file. Then you can decide to deactivate specific rules if you don’t feel they are necessary to help reduce analysis time.
    • FindBugs Sensor
      FindBugs is a 3rd party plugin so I can’t comment on how to optimize it. From what I see, FindBugs is taking up a lot of time, so you should optimize what rules you have activated here or disable it entirely.
  • Total about ~5.3hr with majority of time in “V3 Product” and “Rest API” (each ~2.5hr each).

Here are my tips for further optimization:

  • Pass MAVEN_OPTS=-Xmx8g or similar value of your choosing (see here). This will help provide more heap space in case your scan fails for memory issue.
  • For V3 Product and Rest API modules, you should separate them into separate SonarQube projects so that you can run your whole project and scan in parallel. Similar to the concept of monorepo. Use separate projectKey, projectName, sonar.inclusions, sonar.test.inclusions and scan just that particular module.
  • Deactivate specific rules based on commonality of issues scanned in Slowest analyzed files logs.
  • Pass -X to get debug logs and see if you can extract more detailed information.

Joe

  • We are not using GIT as repo instead we use SVN so we cannot commit these to GIT moreover we do have same missing blame error in our production server scan logs. So i assume we can ignore that error.

    Many files are missing blame information because they were not git committed. Please remove the changes to these files or git commit them.

  • Where we can verify this option ‘sonar.nodejs.executable’ in our production server as i did not find it any where and moreover we did not install node on our production server.

  • I am not aware of these profiles, I will only deal with system administrator part for sonar, I will try to get the quality profile backup file.

  • Can you please share the maven command to scan single project by excluding other modules in project.

Thanks,
Sunil Palugula

@Joe Did you get chance to see my previous comment?

Thanks,
Sunil Palugula

My apologies for the delay!

My mistake, thanks for clarifying. With SVN, you should still have blame information. Please check svn blame <INSERT-FILENAME> and check that the blame information is attached to the file. This is helpful for determining author information on the file for SonarQube.

You need to install Node on your production server. Usually, Sonar scanner can find your Node.js installation without defining that sonar.nodejs.executable parameter, but if the Sonar analysis still has a warning, then you can define the path to that executable with sonar.nodejs.executable. See CSS analysis for details.

There are many ways to do this, either with the maven command directly or within your pom.xml file.

In pom.xml:

<sonar.exclusions>module1/**</sonar.exclusions>

Or command line:

 mvn clean install sonar:sonar -Dsonar.projectKey=multi-master -Dsonar.login=29384729asdvba0 -Dsonar.host.url=http://localhost:9000 -Dsonar.exclusions=module1/**

@Palugula_Sunil : Since this thread has gone on long enough. I will close this thread. Please open a new thread with new information and/or logs to further assist you.

1 Like