.NET build with GitHub Actions very slow - CA2100 check seems to be slow

Laszlo · November 10, 2023, 1:26pm

Hi!
Since September 8th our SonarCloud GitHub Action slowed down remarkably. Before it was ~10 mins, since then it’s 30-40 mins. In early September we did not change any rules.

We made a few runs with detailed logs using these commands:

          dotnet sonarscanner begin /k:"***" /o:"***" /d:sonar.login="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io"
          dotnet build -p:reportanalyzer=true -v:diag
          dotnet sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}"

Here is a snippet from the logs:

2023-11-07T16:31:57.7451313Z                      Microsoft (R) Visual C# Compiler version 4.7.0-3.23465.3 (b5c9211b) (TaskId:1975)
2023-11-07T16:31:57.7496766Z                      Copyright (C) Microsoft Corporation. All rights reserved. (TaskId:1975)
2023-11-07T16:31:57.8220439Z 16:31:57.683  5:17>CSC : warning S3904: Provide an 'AssemblyVersion' attribute for assembly 'ABC.Data'. (https://rules.sonarsource.com/csharp/RSPEC-3904) [/home/runner/work/ABC/ABC/ABC.Data/ABC.Data.csproj]
2023-11-07T16:31:57.8252727Z                      NOTE: Elapsed time may be less than analyzer execution time because analyzers can run concurrently. (TaskId:1975)
2023-11-07T16:31:57.8769800Z                      Total analyzer execution time: 1020.954 seconds. (TaskId:1975)
2023-11-07T16:31:57.8782175Z                      Time (s)    %   Analyzer (TaskId:1975)
2023-11-07T16:31:57.8796587Z                      995.222   97   Microsoft.CodeAnalysis.NetAnalyzers, Version=7.0.8.35404, Culture=neutral, PublicKeyToken=31bf3856ad364e35 (TaskId:1975)
2023-11-07T16:31:57.8825829Z                      978.075   95      Microsoft.NetCore.Analyzers.Data.ReviewSqlQueriesForSecurityVulnerabilities (CA2100) (TaskId:1975)
2023-11-07T16:31:57.8843632Z                      8.829   <1      Microsoft.NetCore.Analyzers.Runtime.DisposeObjectsBeforeLosingScope (CA2000) (TaskId:1975)
2023-11-07T16:31:57.8855764Z                      2.024   <1      Microsoft.CodeQuality.Analyzers.QualityGuidelines.ValidateArgumentsOfPublicMethods (CA1062) (TaskId:1975)
2023-11-07T16:31:57.8864549Z                      0.788   <1      Microsoft.NetCore.Analyzers.Security.DoNotCallDangerousMethodsInDeserialization (CA5360) (TaskId:1975)
2023-11-07T16:31:57.8879008Z                      0.632   <1      Microsoft.NetCore.Analyzers.Runtime.UseAsyncMethodInAsyncContext (CA1849) (TaskId:1975)
/* there are a lot more lines here, but every Analyzer needs less than 1 sec to run */

This project only uses C#, we are currently on .NET 6.
Unfortunately, we didn’t have detailed logs before we started to experience this issue.

The interesting this is that I could not find any information about Microsoft.CodeAnalysis.NetAnalyzers 7.0.8.35404, we could only find the 7.0.4, even though we also checked the prerelease variants.
We are always using the newest dotnet-sonarscanner.

Colin · November 13, 2023, 7:34pm

Hey there.

CA2100 is written by Microsoft – and shouldn’t be enabled by Sonar (unless I really misunderstand our implemtnation). Is this a rule that might be enabled via a .ruleset file you have for your project?

Laszlo · November 14, 2023, 1:54pm

Hi,
I’m not aware that we have a ruleset file, just to be sure I attach out Github action fully:

name: Sonarcloud
on:
  pull_request:   
    paths-ignore:
      - 'ABC/Database/**'
jobs:
  build:
    name: Sonarcloud
    runs-on: ubuntu-latest
    steps:
      - name: Set up JDK 17
        uses: actions/setup-java@v3
        with:
          distribution: 'zulu'
          java-version: '17'
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: Cache SonarCloud packages
        uses: actions/cache@v3
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
          restore-keys: ${{ runner.os }}-sonar
      - name: Install SonarCloud scanner
        run: |
          dotnet tool install --global dotnet-sonarscanner
      - name: Build and analyze
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        run: |
          dotnet sonarscanner begin /k:"***" /o:"***" /d:sonar.login="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io"
          dotnet build
          dotnet sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}"

What we do have is a .editorconfig file, but I suspect it has nothing to do with SonarCloud.
Also, we have a custom profile for C#, can this cause the long build time?

Colin · November 22, 2023, 3:04pm

Once again, I really think the issue boils down to this Microsoft analyzer which is not being used by SonarCloud (it just so happens that SonarCloud wraps the build step).

It looks like a new version of Microsoft.CodeAnalysis.NetAnalyzers has been released (v8.0.0). Is this being used now? Do you still face the performance issue?
Does the longer build time go away if you remove the SonarCloud steps (dotnet sonarscanner begin and dotnet sonarscanner end)?

Laszlo · November 23, 2023, 8:45am

We have a separate GitHub Action which builds the solution and then runs the tests. The build there takes ~4mins.

In the meanwhile, we changed to a bigger GitHub Runner (the “Standard” previous one was 2 cores, 7GB RAM, Ubuntu 22 LTS, the new is 4 cores, 16GB RAM and Ubuntu 22 LTS.) Now the action takes ~10 minutes.

Karim_El_Ouerghemmi · December 1, 2023, 2:53pm

Hello @Laszlo,

I confirm that CA2100 is not related to the sonar analysis. Maybe it is activated through some setting in the build step: Code analysis in .NET | Microsoft Learn

Laszlo · December 5, 2023, 10:52am

Thank you for your answer, we will try to disable all analytics for the .net build.