.NET build with GitHub Actions very slow - CA2100 check seems to be slow

Since September 8th our SonarCloud GitHub Action slowed down remarkably. Before it was ~10 mins, since then it’s 30-40 mins. In early September we did not change any rules.

We made a few runs with detailed logs using these commands:

          dotnet sonarscanner begin /k:"***" /o:"***" /d:sonar.login="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io"
          dotnet build -p:reportanalyzer=true -v:diag
          dotnet sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}"

Here is a snippet from the logs:

2023-11-07T16:31:57.7451313Z                      Microsoft (R) Visual C# Compiler version 4.7.0-3.23465.3 (b5c9211b) (TaskId:1975)
2023-11-07T16:31:57.7496766Z                      Copyright (C) Microsoft Corporation. All rights reserved. (TaskId:1975)
2023-11-07T16:31:57.8220439Z 16:31:57.683  5:17>CSC : warning S3904: Provide an 'AssemblyVersion' attribute for assembly 'ABC.Data'. (https://rules.sonarsource.com/csharp/RSPEC-3904) [/home/runner/work/ABC/ABC/ABC.Data/ABC.Data.csproj]
2023-11-07T16:31:57.8252727Z                      NOTE: Elapsed time may be less than analyzer execution time because analyzers can run concurrently. (TaskId:1975)
2023-11-07T16:31:57.8769800Z                      Total analyzer execution time: 1020.954 seconds. (TaskId:1975)
2023-11-07T16:31:57.8782175Z                      Time (s)    %   Analyzer (TaskId:1975)
2023-11-07T16:31:57.8796587Z                      995.222   97   Microsoft.CodeAnalysis.NetAnalyzers, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35 (TaskId:1975)
2023-11-07T16:31:57.8825829Z                      978.075   95      Microsoft.NetCore.Analyzers.Data.ReviewSqlQueriesForSecurityVulnerabilities (CA2100) (TaskId:1975)
2023-11-07T16:31:57.8843632Z                      8.829   <1      Microsoft.NetCore.Analyzers.Runtime.DisposeObjectsBeforeLosingScope (CA2000) (TaskId:1975)
2023-11-07T16:31:57.8855764Z                      2.024   <1      Microsoft.CodeQuality.Analyzers.QualityGuidelines.ValidateArgumentsOfPublicMethods (CA1062) (TaskId:1975)
2023-11-07T16:31:57.8864549Z                      0.788   <1      Microsoft.NetCore.Analyzers.Security.DoNotCallDangerousMethodsInDeserialization (CA5360) (TaskId:1975)
2023-11-07T16:31:57.8879008Z                      0.632   <1      Microsoft.NetCore.Analyzers.Runtime.UseAsyncMethodInAsyncContext (CA1849) (TaskId:1975)
/* there are a lot more lines here, but every Analyzer needs less than 1 sec to run */

This project only uses C#, we are currently on .NET 6.
Unfortunately, we didn’t have detailed logs before we started to experience this issue.

The interesting this is that I could not find any information about Microsoft.CodeAnalysis.NetAnalyzers, we could only find the 7.0.4, even though we also checked the prerelease variants.
We are always using the newest dotnet-sonarscanner.

Hey there.

CA2100 is written by Microsoft – and shouldn’t be enabled by Sonar (unless I really misunderstand our implemtnation). Is this a rule that might be enabled via a .ruleset file you have for your project?

I’m not aware that we have a ruleset file, just to be sure I attach out Github action fully:

name: Sonarcloud
      - 'ABC/Database/**'
    name: Sonarcloud
    runs-on: ubuntu-latest
      - name: Set up JDK 17
        uses: actions/setup-java@v3
          distribution: 'zulu'
          java-version: '17'
      - uses: actions/checkout@v4
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: Cache SonarCloud packages
        uses: actions/cache@v3
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
          restore-keys: ${{ runner.os }}-sonar
      - name: Install SonarCloud scanner
        run: |
          dotnet tool install --global dotnet-sonarscanner
      - name: Build and analyze
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        run: |
          dotnet sonarscanner begin /k:"***" /o:"***" /d:sonar.login="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io"
          dotnet build
          dotnet sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}"

What we do have is a .editorconfig file, but I suspect it has nothing to do with SonarCloud.
Also, we have a custom profile for C#, can this cause the long build time?

Once again, I really think the issue boils down to this Microsoft analyzer which is not being used by SonarCloud (it just so happens that SonarCloud wraps the build step).

  • It looks like a new version of Microsoft.CodeAnalysis.NetAnalyzers has been released (v8.0.0). Is this being used now? Do you still face the performance issue?
  • Does the longer build time go away if you remove the SonarCloud steps (dotnet sonarscanner begin and dotnet sonarscanner end)?

We have a separate GitHub Action which builds the solution and then runs the tests. The build there takes ~4mins.

In the meanwhile, we changed to a bigger GitHub Runner (the “Standard” previous one was 2 cores, 7GB RAM, Ubuntu 22 LTS, the new is 4 cores, 16GB RAM and Ubuntu 22 LTS.) Now the action takes ~10 minutes.

Hello @Laszlo,

I confirm that CA2100 is not related to the sonar analysis. Maybe it is activated through some setting in the build step: Code analysis in .NET | Microsoft Learn

Thank you for your answer, we will try to disable all analytics for the .net build.