Out Of Memory Errors When Running Analysis

Must-share information (formatted with Markdown):

• SonarQube Server / Developer
• how is SonarQube deployed: Docker in an Azure Container Instance
• what are you trying to achieve: Analyse our .NET projects
• what have you tried so far to achieve this: Nothing any different to previously. We are just executing the analysis

Hi, I am trying to analyse our code in SonarQube, which is triggered from a Visual Studio Pipeline.

I am getting all sorts of exceptions coming back from SonarQube.

I have attached the log file for reference, but is essentially including lots of the following:-

##[error]at org.sonar.plugins.common.thread.ParallelizationManager$$Lambda$1811/0x000001e25b89d708.run(Unknown Source)

at org.sonar.plugins.common.thread.ParallelizationManager$$Lambda$1811/0x000001e25b89d708.run(Unknown Source)

##[error]at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

##[error]at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

##[error]at java.base/java.lang.Thread.run(Unknown Source)

at java.base/java.lang.Thread.run(Unknown Source)

##[error]Exception in thread "pool-3-thread-3" java.lang.OutOfMemoryError: Java heap space

Exception in thread "pool-3-thread-3" java.lang.OutOfMemoryError: Java heap space

##[error]at java.base/java.util.Arrays.copyOf(Unknown Source)

at java.base/java.util.Arrays.copyOf(Unknown Source)

##[error]at java.base/java.lang.AbstractStringBuilder.ensureCapacityInternal(Unknown Source)

at java.base/java.lang.AbstractStringBuilder.ensureCapacityInternal(Unknown Source)

##[error]at java.base/java.lang.AbstractStringBuilder.append(Unknown Source)

at java.base/java.lang.AbstractStringBuilder.append(Unknown Source)

##[error]at java.base/java.lang.StringBuilder.append(Unknown Source)

at java.base/java.lang.StringBuilder.append(Unknown Source)

##[error]at org.sonar.plugins.common.InputFileContext.buildNormalizedContentAndCalculateOffsets(Unknown Source)

at org.sonar.plugins.common.InputFileContext.buildNormalizedContentAndCalculateOffsets(Unknown Source)

##[error]at org.sonar.plugins.common.InputFileContext.<init>(Unknown Source)

at org.sonar.plugins.common.InputFileContext.<init>(Unknown Source)

##[error]at org.sonar.plugins.common.Analyzer.lambda$buildInputFileContexts$4(Unknown Source)

at org.sonar.plugins.common.Analyzer.lambda$buildInputFileContexts$4(Unknown Source)

##[error]at org.sonar.plugins.common.Analyzer$$Lambda$1810/0x000001e25b89d4e8.run(Unknown Source)

at org.sonar.plugins.common.Analyzer$$Lambda$1810/0x000001e25b89d4e8.run(Unknown Source)

##[error]at org.sonar.plugins.common.thread.ParallelizationManager.lambda$submit$0(Unknown Source)

at org.sonar.plugins.common.thread.ParallelizationManager.lambda$submit$0(Unknown Source)

##[error]at org.sonar.plugins.common.thread.ParallelizationManager$$Lambda$1811/0x000001e25b89d708.run(Unknown Source)

at org.sonar.plugins.common.thread.ParallelizationManager$$Lambda$1811/0x000001e25b89d708.run(Unknown Source)

##[error]at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

##[error]at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

##[error]at java.base/java.lang.Thread.run(Unknown Source)

at java.base/java.lang.Thread.run(Unknown Source)
[SonarLog.txt|attachment](upload://kJ4U9D62VpB8f383XasSdCrAbOQ.txt) (8.2 MB)

Hi,

Here’s the problem:

The details of fixing it will vary a bit by how you’re firing analysis, but somewhere you’ll need to apply a larger heap space value, something like-Xmx4096m.

 
HTH,
Ann

Good Morning Ann,

Thank you very much for the reply.

I have tried this, but am still getting some very strange and extremely frustrating issues.

I am going to try and outline the context here and what I have done.

Essentially, we have two projects that we are going to be analysing with SonarQube. I have been working on the bigger and more complex of the two, but to make things easier and to take out any other variables, I have switched to working on the other project which is a much smaller ASP.NET MVC project built on .net 8.0.

I have tried to detail the issues I have had with every step of trying to get SonarQube to work and I will also add a .zip file here with all of my logs for each iteration.

Iteration 1 - As per my original message, we get a java.lang.OutOfMemoryError: Java heap space error. Below is the Azure Devops Pipeline YAML code that was used when this occurred:-

      # =============================================================================================
      # SONARQUBE CONFIGURATION
      # =============================================================================================

      - task: SonarQubePrepare@7
        displayName: "Prepare Analysis on SonarQube"
        condition: eq('${{ parameters.runAnalysis }}', true)
        env:
          SONAR_SCANNER_OPTS: "-Xmx2048m"
        inputs:
          SonarQube: 'SonarQube'
          scannerMode: 'dotnet'
          dotnetScannerVersion: '10.1.2.114627'
          projectKey: 'cbs-ops_DriverWebsite_815157f7-b691-4e43-8a8c-fc7edd5339b7'
          projectName: 'DriverWebsite'
          extraProperties: |
            sonar.projectVersion=$(assemblyVersionNumber)
            sonar.verbose=true
            sonar.exclusions=**/*.sql,**/bin/**/*,**/obj/**/*,**/.git/**
            sonar.branch.name=$(DriverWebsiteRepoRef)


# OTHER CODE HERE.....

      # =============================================================================================
      # APPLICATION COMPILATION
      # =============================================================================================
      # Build and publish the application using the .NET CLI
      - task: DotNetCoreCLI@2
        displayName: "Build ${{ parameters.applicationName }}"
        env:
          PostSharpLicense: $(postSharpLicenseKey)
        inputs:
          command: "publish"
          publishWebProjects: false
          projects: "$(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/${{ parameters.applicationName }}.sln"
          zipAfterPublish: false
          modifyOutputPath: false
          workingDirectory: "$(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/"
          platform: ${{ parameters.buildPlatform }}
          arguments: "--no-restore --configuration ${{ parameters.buildConfiguration }} --output $(Build.ArtifactStagingDirectory)"
          script: |
            echo "Building application..."
            echo "Application Name: ${{ parameters.applicationName }}"
            echo "Build Configuration: ${{ parameters.buildConfiguration }}"
            echo "Build Platform: ${{ parameters.buildPlatform }}"
            echo "Output Directory: $(Build.ArtifactStagingDirectory)"

      # =============================================================================================
      # CODE ANALYSIS
      # =============================================================================================
      # Run the SonarQube analysis on the built code (only on scheduled builds)
      - task: SonarQubeAnalyze@7
        displayName: "Run Code Analysis With SonarQube"
        condition: eq('${{ parameters.runAnalysis }}', true)
        inputs:
          jdkversion: 'JAVA_HOME_17_X64'

      # Publish the analysis results to SonarQube and check the quality gate (only on scheduled builds)
      - task: SonarQubePublish@7
        displayName: "Publish Quality Gate Result To SonarQube"
        condition: eq('${{ parameters.runAnalysis }}', true)
        inputs:
          pollingTimeoutSec: '300'

Next, I increase the heap space and got an error “##[error]Not inside a Git work tree: /home/vsts/work/1/s”. Below is the Azure DevOps YAM Pipeline code when this error occurred.

      # =============================================================================================
      # SONARQUBE CONFIGURATION
      # =============================================================================================

      - task: SonarQubePrepare@7
        displayName: "Prepare Analysis on SonarQube"
        condition: eq('${{ parameters.runAnalysis }}', true)
        env:
          SONAR_SCANNER_OPTS: "-Xmx4096m"
        inputs:
          SonarQube: 'SonarQube'
          scannerMode: 'dotnet'
          projectKey: 'cbs-ops_DriverWebsite_815157f7-b691-4e43-8a8c-fc7edd5339b7'
          projectName: 'DriverWebsite'
          organization: 'Car Benefit Solutions Limited'
          extraProperties: |
            sonar.projectVersion=$(assemblyVersionNumber)
            sonar.scm.provider=git
            #sonar.verbose=true
            sonar.exclusions=**/bin/**/*,**/obj/**/*
            sonar.branch.name=$(DriverWebsiteRepoRef)
            sonar.sourceEncoding=UTF-8

      # =============================================================================================
      # APPLICATION COMPILATION
      # =============================================================================================
      # Build and publish the application using the .NET CLI
      - task: DotNetCoreCLI@2
        displayName: "Build ${{ parameters.applicationName }}"
        env:
          PostSharpLicense: $(postSharpLicenseKey)
        inputs:
          command: "build"
          publishWebProjects: false
          projects: "$(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/${{ parameters.applicationName }}.sln"
          zipAfterPublish: false
          modifyOutputPath: false
          workingDirectory: "$(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/"
          platform: ${{ parameters.buildPlatform }}
          arguments: "--no-restore --configuration ${{ parameters.buildConfiguration }} --output $(Build.ArtifactStagingDirectory)"
          script: |
            echo "Building application..."
            echo "Application Name: ${{ parameters.applicationName }}"
            echo "Build Configuration: ${{ parameters.buildConfiguration }}"
            echo "Build Platform: ${{ parameters.buildPlatform }}"
            echo "Output Directory: $(Build.ArtifactStagingDirectory)"

      # =============================================================================================
      # CODE ANALYSIS
      # =============================================================================================
      # Run the SonarQube analysis on the built code (only on scheduled builds)
      - task: SonarQubeAnalyze@7
        displayName: "Run Code Analysis With SonarQube"
        condition: eq('${{ parameters.runAnalysis }}', true)
        env:
          SONAR_SCANNER_OPTS: "-Xmx4096m"
        inputs:
          jdkversion: 'JAVA_HOME_17_X64'

      # Publish the analysis results to SonarQube and check the quality gate (only on scheduled builds)
      - task: SonarQubePublish@7
        displayName: "Publish Quality Gate Result To SonarQube"
        condition: eq('${{ parameters.runAnalysis }}', true)
        inputs:
          pollingTimeoutSec: '300'

I then tried to make sure that I was really specific about the source location, and adding the sonar.projectBaseDire and sonar.src parameters. After this I get the following error “File src/Cbs.Website.MVC/.vscode/launch.json can’t be indexed twice. Please check that inclusion/exclusion patterns produce disjoint sets for main and test files”. Below is the Azure DevOps YAM Pipeline code when this error occurred.

      # =============================================================================================
      # SONARQUBE CONFIGURATION
      # =============================================================================================

      - task: SonarQubePrepare@7
        displayName: "Prepare Analysis on SonarQube"
        condition: eq('${{ parameters.runAnalysis }}', true)
        env:
          SONAR_SCANNER_OPTS: "-Xmx2048m"
        inputs:
          SonarQube: 'SonarQube'
          scannerMode: 'dotnet'
          projectKey: 'cbs-ops_DriverWebsite_815157f7-b691-4e43-8a8c-fc7edd5339b7'
          projectName: 'DriverWebsite'
          organization: 'Car Benefit Solutions Limited'
          extraProperties: |            
            sonar.projectBaseDir=$(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)
            sonar.sources=src
            sonar.projectVersion=$(assemblyVersionNumber)
            sonar.scm.provider=git
            #sonar.verbose=true
            sonar.exclusions=**/bin/**/*,**/obj/**/*
            sonar.branch.name=$(DriverWebsiteRepoRef)
            sonar.sourceEncoding=UTF-8

      # =============================================================================================
      # APPLICATION COMPILATION
      # =============================================================================================
      # Build and publish the application using the .NET CLI
      - task: DotNetCoreCLI@2
        displayName: "Build ${{ parameters.applicationName }}"
        env:
          PostSharpLicense: $(postSharpLicenseKey)
        inputs:
          command: "build"
          publishWebProjects: false
          projects: "$(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/${{ parameters.applicationName }}.sln"
          zipAfterPublish: false
          modifyOutputPath: false
          workingDirectory: "$(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/"
          platform: ${{ parameters.buildPlatform }}
          arguments: "--no-restore --configuration ${{ parameters.buildConfiguration }} --output $(Build.ArtifactStagingDirectory)"
          script: |
            echo "Building application..."
            echo "Application Name: ${{ parameters.applicationName }}"
            echo "Build Configuration: ${{ parameters.buildConfiguration }}"
            echo "Build Platform: ${{ parameters.buildPlatform }}"
            echo "Output Directory: $(Build.ArtifactStagingDirectory)"

      # =============================================================================================
      # CODE ANALYSIS
      # =============================================================================================
      # Run the SonarQube analysis on the built code (only on scheduled builds)
      - task: SonarQubeAnalyze@7
        displayName: "Run Code Analysis With SonarQube"
        condition: eq('${{ parameters.runAnalysis }}', true)
        env:
          SONAR_SCANNER_OPTS: "-Xmx4096m"
        inputs:
          jdkversion: 'JAVA_HOME_17_X64'

      # Publish the analysis results to SonarQube and check the quality gate (only on scheduled builds)
      - task: SonarQubePublish@7
        displayName: "Publish Quality Gate Result To SonarQube"
        condition: eq('${{ parameters.runAnalysis }}', true)
        inputs:
          pollingTimeoutSec: '300'

Now, here is the very strange thing…

Out of sheer frustration, exhaustion and banging my head on my desk multiple times, I asked GitHub Copilot if it could do it for me. Mistakenly, it used the SonarQubePrepare@5 with MSBuild as the scannerMode, and also the SonarQubeAnalyze@5 and SonarQubePublish@5 ADO extensions instead of the SonarQubexxx@7 ones.

I ran this just for the sheer hell of it, and got the obvious deprecated warnings.

However, it ran perfectly, and more interestingly in around 4 minutes instead of the huge amount of time it had been taking previously. Below is the Azure DevOps YAML Pipeline code for this successful run.

      # =============================================================================================
      # SONARQUBE ANALYSIS (PREPARE)
      # =============================================================================================
      - task: SonarQubePrepare@5
        displayName: 'Prepare SonarQube Analysis'
        condition: and(succeeded(), eq('${{ parameters.runAnalysis }}', true))
        inputs:
          SonarQube: 'SonarQube'
          scannerMode: 'MSBuild'
          projectKey: 'cbs-ops_DriverWebsite_815157f7-b691-4e43-8a8c-fc7edd5339b7'
          organization: 'Car Benefit Solutions Limited'
          extraProperties: |
            sonar.verbose=true
            sonar.projectVersion=$(assemblyVersionNumber)
            sonar.scm.provider=git
            sonar.exclusions=**/bin/**/*,**/obj/**/*
            sonar.branch.name=$(DriverWebsiteBranchName)
            sonar.sourceEncoding=UTF-8

      # =============================================================================================
      # APPLICATION COMPILATION (WITH SONARQUBE ANALYSIS)
      # =============================================================================================
      # Build and publish the application using the .NET CLI
      - task: DotNetCoreCLI@2
        displayName: "Build ${{ parameters.applicationName }}"
        env:
          PostSharpLicense: $(postSharpLicenseKey)
        inputs:
          command: "build"
          publishWebProjects: false
          projects: "$(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/${{ parameters.applicationName }}.sln"
          zipAfterPublish: false
          modifyOutputPath: false
          workingDirectory: "$(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/"
          platform: ${{ parameters.buildPlatform }}
          arguments: "--no-restore --configuration ${{ parameters.buildConfiguration }} --output $(Build.ArtifactStagingDirectory)"
          script: |
            echo "Building application..."
            echo "Application Name: ${{ parameters.applicationName }}"
            echo "Build Configuration: ${{ parameters.buildConfiguration }}"
            echo "Build Platform: ${{ parameters.buildPlatform }}"
            echo "Output Directory: $(Build.ArtifactStagingDirectory)"

      # =============================================================================================
      # SONARQUBE ANALYSIS (RUN)
      # =============================================================================================
      - task: SonarQubeAnalyze@5
        displayName: 'Run SonarQube Analysis'
        condition: and(succeeded(), eq('${{ parameters.runAnalysis }}', true))

      # =============================================================================================
      # SONARQUBE ANALYSIS (PUBLISH)
      # =============================================================================================
      - task: SonarQubePublish@5
        displayName: 'Publish SonarQube Quality Gate Result'
        condition: and(always(), eq('${{ parameters.runAnalysis }}', true))
        inputs:
          pollingTimeoutSec: '300'

Anyway, I obviously cannot continue down this route, but I just thought it was really interesting and might help highlight the issues I am having.

I just want to get this working now after many weeks trying to get things up and running, as it is extremely frustrating having spent thousands of pounds on a tool that we are unable to use.

Any guidance to save my sanity and sore head would be greatly appreciated.

I 100% get it is something I will be doing wrong, but I am giving up for now until I can get the necessary help as it just feels that anything else I do will be a waste of my very precious time.

Many thanks in advance
Logs-20250603.zip (1.6 MB)

Hi,

I’m sorry you’re having such a hard time.

When I look at your logs…

In the one named ‘…OutOfMemory.txt’, I don’t see the error. The log ends abruptly at line 85,435. I suppose it got truncated somewhere.

Moving on to ##[error]Not inside a Git work tree… your updated pipeline didn’t just increase the scanner memory, it also added this:

Now, I’m not sure why that would cause this problem, but .NET analysis has its own quirks, and I can only guess that the presence of that parameter caused a premature check for the Git metadata(?). Because both the OOM log and this one show the same project base directory.

Which brings us to this:

Yeah… Don’t do that. One of the quirks of .NET analysis is that you don’t get to specify where analysis looks. That’s entirely auto-configured, based off piggy-backing / participating in your build. So when you added a second sonar.sources designation, that triggered this double-index problem.

Please try with this (and post the log if it doesn’t succeed):

        env:
          SONAR_SCANNER_OPTS: "-Xmx4096m"
        inputs:
          SonarQube: 'SonarQube'
          scannerMode: 'dotnet'
          projectKey: 'cbs-ops_DriverWebsite_815157f7-b691-4e43-8a8c-fc7edd5339b7'
          projectName: 'DriverWebsite'
          organization: 'Car Benefit Solutions Limited'
          extraProperties: |
            sonar.projectVersion=$(assemblyVersionNumber)
            sonar.verbose=true
            sonar.exclusions=**/bin/**/*,**/obj/**/*
            sonar.branch.name=$(DriverWebsiteRepoRef)

Note that branch and PR info should normally be picked up automatically from the environment, without you needing to explicitly specify sonar.branch.name but I’ve left that in there in the name of minimizing changes until we get your analysis running.

 
HTH,
Ann

Hi Ann,

Thanks for the speedy response on this.

I have updated the task as per your instructions, and shown below but am now back to the Out Of Memory Exception again.
ADOSonarLog4-OutOfMemory.zip (1.6 MB)

I have attached the logs, which this time do not seem to have been truncated by Azure DevOps.

      # =============================================================================================
      # SONARQUBE ANALYSIS (PREPARE)
      # =============================================================================================
      - task: SonarQubePrepare@7
        displayName: 'Prepare SonarQube Analysis'
        condition: and(succeeded(), eq('${{ parameters.runAnalysis }}', true))
        env:
          SONAR_SCANNER_OPTS: "-Xmx4096m"
        inputs:
          SonarQube: 'SonarQube'
          scannerMode: 'dotnet'
          projectKey: 'cbs-ops_DriverWebsite_70eebacf-094b-4193-8cb9-4faa8dc61fc0'
          projectName: 'DriverWebsite'
          organization: 'Car Benefit Solutions Limited'
          extraProperties: |
            sonar.projectVersion=$(assemblyVersionNumber)
            sonar.verbose=true
            sonar.exclusions=**/bin/**/*,**/obj/**/*
            sonar.branch.name=$(DriverWebsiteRepoRef)

Hi,

Thanks for the new log. It’s odd to me that this appears to be happening during the Git blame data collection at the end.

Tell me about your checkout?

And in the meantime, can you add sonar.scm.disabled=true to your extraProperties? I normally yell at people for using this parameter (omitting SCM data collection breaks some important functionalities) but for debugging, it’s worth knowing whether Git is really the problem.

 
Thx,
Ann

Thanks Ann,

I am just adding that now and running.

Whilst I am doing that, is there any way I can send you the full yaml template file for this part of the stage please? I suspect this may help more than me trying to explain it.

Many thanks

Simon

Hi Simon,

Feel free to redact as necessary.

 
Ann

Hi Ann,

Please find attached logged files and relevant YAML files.

I have removed any potential sensitive information, but would appreciate it if you are able to remove the attachment from this post after you have downloaded it.

Many thanks

Simon

Hi Simon,

I’ve removed the file from you post. The problem is that if I have to pass this on to someone else, they’ll likely need the same data (which is why I always insist on a public log).

At any rate…

It looks like you’re doing multiple checkouts? And then running analysis from which checked-out repo?

And this certainly isn’t helping (altho it shouldn’t cause this error):

fetchDepth: 1 # Shallow clone for faster checkout

fetchDepth should always be 0 so analysis has access to all the data.

I see this in your log:

2025-06-03T16:04:45.4405922Z sonar.scm.disabled=true

So I really don’t understand why we’re still getting the same failure, apparently in Git.

And at this point, I’m not sure it will help, but can you set fetchDepth to 0 and try again. (I’m i-dotting at this point.)

 
Ann

Thanks Ann, I will give that a try. That checkout template is used for multiple repos, and some require access to both. It will only check out the relevant ones though based on need. I will check that though and make sure we are only checking out what is appropriate.

However, one important thing I did note, is that I had to specify the branch ref in the Prepare Sonar task, as it looks like it assumes whichever branch initiated the build is the one to use.

So, this is a problem because, our Azure DevOps pipeline scripts are in a different repo to the source code for our applications. Our Azure DevOps pipeline scripts only really use one branch called “main” where as the applications source code use master, release, develop etc. The reason I noticed this, is that on one of the scans that did succeed, it set “main” as the branch name in the SonarQube portal, and the only place it could have derived that from is our Azure DevOps pipeline repo.

I hope that makes sense

I will let you know how things go after changing the fetch depth

Many thanks

Simon

Hi,

I looked at this again, and started a little further up from the error this time. The problem is with this:

2025-06-03T16:13:03.7285953Z 16:13:03.727 INFO: Sensor DeveloperTextAndSecretsSensor [textdeveloper]
2025-06-03T16:13:03.7286313Z 16:13:03.727 DEBUG: Sensor DeveloperTextAndSecretsSensor is allowed to analyze hidden files
2025-06-03T16:13:03.7532383Z 16:13:03.752 INFO: Available processors: 2
2025-06-03T16:13:03.7542166Z 16:13:03.753 INFO: Using 2 threads for analysis.

The Text/Secrets sensor uses Git (altho I don’t remember why at the moment).

The reason this worked when you reverted to a (much) earlier version of the action is that the scanner embedded in it didn’t analyze ‘all’ files, only .NET ones. With the newer action, you’re getting the benefit of analyzing a broader array of files, and the Text sensor is kicking in on them.

Try adding sonar.text.inclusions.activate=false.

That should get us past this error.
When (if) it does, then I’d like to back out the sonar.scm.disabled=true parameter.

 
Ann

P.S. Please share your SonarQube version. You can find it in the page footer if you’re not sure.

Hi Ann,

I am so sorry to be the bearer of bad news again, and also apologies for the delay in replying.

I have done as suggested (below) but still got exactly the same issue around out of memory.

      # =============================================================================================
      # SONARQUBE ANALYSIS (PREPARE)
      # =============================================================================================
      - task: SonarQubePrepare@7
        displayName: 'Prepare SonarQube Analysis'
        condition: and(succeeded(), eq('${{ parameters.runAnalysis }}', true))
        env:
          SONAR_SCANNER_OPTS: "-Xmx4096m"
        inputs:
          SonarQube: 'SonarQube'
          scannerMode: 'dotnet'
          projectKey: 'cbs-ops_DriverWebsite_70eebacf-094b-4193-8cb9-4faa8dc61fc0'
          projectName: 'DriverWebsite'
          organization: 'Car Benefit Solutions Limited'
          extraProperties: |
            sonar.projectVersion=$(assemblyVersionNumber)
            sonar.verbose=true
            sonar.exclusions=**/bin/**/*,**/obj/**/*
            sonar.branch.name=$(DriverWebsiteRepoRef)
            sonar.scm.disabled=true
            sonar.text.inclusions.activate=false

I have attached the logs from the entire pipeline run so that you have visibility of everything that is happening during these runs.

I have also attached the SonarQube System Information download file.

We are running SonarQube Developer Edition v2025.3 (108892).

Many thanks

Simon

logs_274362.zip (3.6 MB)

Hi,

Thanks for the new log.

I’m going to flag this for the language experts. And in the meantime, try replacing sonar.text.inclusions with sonar.scanner.scanAll=false. That will turn off the ‘all file’ scanning and get you back to the v5 behavior where you didn’t see this problem. (And then remove sonar.scm.disabled=true. )

 
Ann

Hi @smlemmoncbs

Sorry to hear that you’re running into this problem!
With the latest release of SonarQube Server we’re analyzing more files in the secrets analysis that where previously not analyzed.
It seems in your .NET context we’re running into a memory problem by analyzing more files.

Can you try to set sonar.scanner.excludeHiddenFiles=true in your properties? This should disable the additional files and hopefully resolve your issues.

In the meantime we’re already working on optimizing the memory management of the Secrets analysis on bigger projects.

Best

Hi Jonas and Ann,

Apologies for the late response on this, but it has been a very busy day or two.

Anyway, I tried both suggestions.

I tried the suggestion from Jonas, where my config looked as follows and correlates to the attached log files in the zip file “logs_274763.zip”:-

      # =============================================================================================
      # SONARQUBE ANALYSIS (PREPARE)
      # =============================================================================================
      - task: SonarQubePrepare@7
        displayName: 'Prepare SonarQube Analysis'
        condition: and(succeeded(), eq('${{ parameters.runAnalysis }}', true))
        env:
          SONAR_SCANNER_OPTS: "-Xmx4096m"
        inputs:
          SonarQube: 'SonarQube'
          scannerMode: 'dotnet'
          projectKey: 'cbs-ops_DriverWebsite_70eebacf-094b-4193-8cb9-4faa8dc61fc0'
          projectName: 'DriverWebsite'
          organization: 'Car Benefit Solutions Limited'
          extraProperties: |
            sonar.projectVersion=$(assemblyVersionNumber)
            sonar.verbose=true
            sonar.exclusions=**/bin/**/*,**/obj/**/*
            sonar.branch.name=$(DriverWebsiteRepoRef)
            #sonar.scm.disabled=true
            sonar.text.inclusions.activate=false
            sonar.scanner.excludeHiddenFiles=true 

I then tried Ann’s suggestion, where my config looked as follows and correlates to the attached log files in the zip file “logs_274764.zip”:-

      # =============================================================================================
      # SONARQUBE ANALYSIS (PREPARE)
      # =============================================================================================
      - task: SonarQubePrepare@7
        displayName: 'Prepare SonarQube Analysis'
        condition: and(succeeded(), eq('${{ parameters.runAnalysis }}', true))
        env:
          SONAR_SCANNER_OPTS: "-Xmx4096m"
        inputs:
          SonarQube: 'SonarQube'
          scannerMode: 'dotnet'
          projectKey: 'cbs-ops_DriverWebsite_70eebacf-094b-4193-8cb9-4faa8dc61fc0'
          projectName: 'DriverWebsite'
          organization: 'Car Benefit Solutions Limited'
          extraProperties: |
            sonar.projectVersion=$(assemblyVersionNumber)
            sonar.verbose=true
            sonar.exclusions=**/bin/**/*,**/obj/**/*
            sonar.branch.name=$(DriverWebsiteRepoRef)
            #sonar.scm.disabled=true
            #sonar.text.inclusions.activate=false
            sonar.scanner.scanAll=false
            sonar.scanner.excludeHiddenFiles=true 

Unfortunately, the results were the same whereby I got an out of memory error.

So sorry to keep bringing bad news.

Simon

logs_274764.zip (1.7 MB)
logs_274763.zip (3.6 MB)

Hi,

Thanks for the new logs.

Let’s back up a minute.

Instead of setting

Can you actually set

SONAR_SCANNER_JAVA_OPTS: "-Xmx4096m"

 

Ann

Good Morning Ann and Jonas,

I have changed the SONAR_SCANNER_OPTS: “-Xmx4096m” to SONAR_SCANNER_JAVA_OPTS: “-Xmx4096m” but unfortunately, that hasnt made any difference from what I can see. I am still getting the same issue.

I have also spent some time going back and stripping things back, only including your last Suggestion Ann and Jonas’s suggestion as well as simplifying the YAML script, particularly around checkout, and including that element directly in this specific YAML file.

Below is the current version on the YAML that I am running, and I have also attached the latest full logs from Azure DevOps.

Just one other weird thing - and I dont want to confuse things, but it may help. We have two projects that we are analysing, but I have just been focusing on one of those in theis thread to keep things simple. I have been applying the same changes to the other YAML pipeline, which is a pure .NET 8 solution with no web elements in it. THis one now gets through the Code Analysis task, but then falls over on the Publish to SonarQube task with the same out of memory issue. I dont want to muddy the waters and start bringing this other project, but I didnt know if that nugget of info might help.

Many thanls

Simon

# ===================================================================================================
# CODE ANALYSIS WEB APPLICATION BUILD JOB TEMPLATE
# ===================================================================================================
# This pipeline template defines the build process for Web applications with static code analysis.
# It covers the complete workflow from source code checkout to artifact publication, including
# SonarQube analysis for code quality and security.
#
# The build process consists of several key phases:
# 1. Source Code Acquisition      - Check out code from the repository
# 2. Version Management           - Generate version numbers for the build
# 3. Build Environment Setup      - Configure .NET SDK, Node.js, and restore dependencies
# 4. SonarQube Analysis           - Prepare, run, and publish SonarQube analysis
# 5. Front-end Asset Processing   - Compile CSS, JavaScript, and other web assets
# 6. Application Compilation      - Build and publish the .NET application
# 7. Artifact Creation            - Package build outputs and scripts for deployment
# ===================================================================================================

# ===================================================================================================
# TEMPLATE PARAMETERS
# ===================================================================================================
# These parameters are passed from the parent template and define all aspects of the build process.
parameters:
  # The name of the application being built (typically matches the solution name)
  - name: applicationName
    type: string
    displayName: 'Application Name'

  # The source folder name within the src directory where the application code is located
  - name: applicationSourceFolderName
    type: string
    displayName: 'Application Source Folder Name'

  # The build configuration to use (Debug, Release, etc.)
  - name: buildConfiguration
    type: string
    displayName: 'Build Configuration'

  # The platform target for the build (x86, x64, AnyCPU)
  - name: buildPlatform
    type: string
    displayName: 'Build Platform'

# ===================================================================================================
# JOB DEFINITION
# ===================================================================================================
jobs:
  # Main build job that compiles the application, runs code analysis, and creates artifacts for deployment
  - job: Build
    displayName: "Build ${{ parameters.applicationName }}"
    timeoutInMinutes: 120    # Maximum time allowed for build before automatic cancellation
    cancelTimeoutInMinutes: 1  # How long to wait for cancellation tasks to complete

    # -----------------------------------------------------------------------------------------------
    # Agent Pool and Workspace
    # -----------------------------------------------------------------------------------------------
    pool:
      name: Azure Pipelines
      vmImage: "ubuntu-latest"

    workspace:
      clean: outputs | resources | all

    # -----------------------------------------------------------------------------------------------
    # Variables
    # -----------------------------------------------------------------------------------------------
    variables:
      # Import global build variables
      - template: ../../Variables/Global-Build-Variables.yml
      # Import secret variables group
      - group: secret-variables
      # Repository references for use in steps
      - name: DriverWebsiteRepoRef
        value: $[ resources.repositories.DriverWebsite.ref ]
      - name: DriverWebsiteRepoName
        value: $[ resources.repositories.DriverWebsite.name ]

    steps:

      # =============================================================================================
      # SOURCE CODE ACQUISITION
      # =============================================================================================
      
      # Check out the ADO Pieplines repository
      - checkout: self
        clean: true  # Clean the workspace before checkout to ensure a fresh build
        fetchDepth: 0  # Shallow clone for faster checkout
        fetchTags: true  # Only fetch tags if needed for versioning
        displayName: "Checkout Pipeline"
        persistCredentials: true

      # Check out the DriverWebsite repository
      - checkout: DriverWebsite
        clean: true
        fetchDepth: 0
        fetchTags: true
        displayName: "Checkout Driver Website Repository"
        workspaceRepo: true
        persistCredentials: true

      # ===================================================================================================
      # VARIABLE EXTRACTION PHASE
      # ===================================================================================================
      # Extract repository names without GitHub organization prefixes
      - task: PowerShell@2
        name: ExtractRepoNames
        displayName: "Extract Clean Repository Name"
        inputs:
          targetType: 'inline'
          pwsh: true
          script: |
            Write-Host "Original Driver Website Repository Name: $(DriverWebsiteRepoName)"
            $cleanDriverWebsiteRepo = "$(DriverWebsiteRepoName)"
            if ("$(DriverWebsiteRepoName)" -match '/') {
              $cleanDriverWebsiteRepo = "$(DriverWebsiteRepoName)".Split('/')[-1]
              Write-Host "Clean Driver Website Repository Name: $cleanDriverWebsiteRepo"
            }
            else {
              Write-Host "Driver Website repository name does not have an organization prefix"
            }
            Write-Host "##vso[task.setvariable variable=CleanDriverWebsiteRepoName;isOutput=true]$cleanDriverWebsiteRepo"
            Write-Host "Original Build Repository Name: $(Build.Repository.Name)"
            $cleanBuildRepo = "$(Build.Repository.Name)"
            if ("$(Build.Repository.Name)" -match '/') {
              $cleanBuildRepo = "$(Build.Repository.Name)".Split('/')[-1]
              Write-Host "Clean Build Repository Name: $cleanBuildRepo"
            }
            Write-Host "##vso[task.setvariable variable=CleanPipelineRepoName;isOutput=true]$cleanBuildRepo"
            Write-Host "==================================================="
            Write-Host "EXTRACTED REPOSITORY NAMES"
            Write-Host "==================================================="
            Write-Host "Build Repo Name (cleaned): $cleanBuildRepo"
            Write-Host "Driver Website Repo Name (cleaned): $cleanDriverWebsiteRepo"
            Write-Host "==================================================="

      # =============================================================================================
      # VERSION MANAGEMENT
      # =============================================================================================
      # Generate a version number for the build using a PowerShell script
      - task: PowerShell@2
        displayName: "Execute 'Create Version Number' PowerShell Script"
        inputs:
          targetType: "filePath"
          filePath: "$(Build.SourcesDirectory)/$(ExtractRepoNames.CleanPipelineRepoName)/Shared/Scripts-Build/Create-VersionNumber-Web.ps1"
          pwsh: true
          arguments: "-AssemblyProductVersion ${{ variables.assemblyProductVersion }} -SrcPath '$(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/'"

      # =============================================================================================
      # BUILD ENVIRONMENT SETUP
      # =============================================================================================
      # Install the required .NET Core SDK version for the build
      - task: UseDotNet@2
        displayName: "Use .NET Core SDK $(dotNetVersionForBuild)"
        inputs:
          packageType: "sdk"
          version: $(dotNetVersionForBuild)
          performMultiLevelLookup: true
          script: |
            echo "Using .NET Core SDK version $(dotNetVersionForBuild)..."

      # =============================================================================================
      # SONARQUBE ANALYSIS (PREPARE)
      # ============================================================================================
      # Prepare SonarQube analysis (sets up the scanner and configures analysis properties)
      - task: SonarQubePrepare@7
        displayName: 'Prepare SonarQube Analysis'
        env:
          SONAR_SCANNER_JAVA_OPTS: "-Xmx4096m"
          #SONAR_SCANNER_OPTS: "-Xmx4096m"
        inputs:
          SonarQube: 'SonarQube'
          scannerMode: 'dotnet'
          projectKey: 'cbs-ops_DriverWebsite_70eebacf-094b-4193-8cb9-4faa8dc61fc0'
          projectName: 'DriverWebsite'
          organization: 'Car Benefit Solutions Limited'
          extraProperties: |
            sonar.projectVersion=$(assemblyVersionNumber)
            #sonar.verbose=true
            sonar.branch.name=$(DriverWebsiteRepoRef)
            sonar.typescript.tsconfigPat= $(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/src/${{ parameters.applicationSourceFolderName }}/tsconfig.json
            #sonar.scanner.scanAll=false
            sonar.scanner.excludeHiddenFiles=true 
            #sonar.text.inclusions.activate=false
            #sonar.scm.disabled=true

      # =============================================================================================
      # FRONT-END BUILD
      # =============================================================================================
      # Install Node.js for front-end asset compilation
      - task: NodeTool@0
        displayName: 'Use Node 10.x'
        inputs:
          versionSpec: 10.x

      # Output directory structure for debugging purposes
      - script: |
          echo "Directory structure:"
          ls -la $(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/src/
        displayName: "Debug Directory Structure"

      # Cache node_modules for faster subsequent builds
      - task: Cache@2
        displayName: 'Cache node_modules'
        inputs:
          key: 'npm | "$(Agent.OS)" | $(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/src/${{ parameters.applicationSourceFolderName }}/package-lock.json'
          restoreKeys: |
            npm | "$(Agent.OS)"
          path: $(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/src/${{ parameters.applicationSourceFolderName }}/node_modules

      # Use npm ci for deterministic and faster installs
      - task: Npm@1
        displayName: 'npm ci (faster install)'
        inputs:
          command: 'ci'
          workingDir: $(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/src/${{ parameters.applicationSourceFolderName }}
          verbose: false

      # Clean the wwwroot folder to ensure a fresh state for compiled assets
      - task: gulp@0
        displayName: 'gulp CleanWebRootFolder'
        inputs:
          gulpFile: $(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/src/${{ parameters.applicationSourceFolderName }}/gulpfile.js
          targets: CleanWebRootFolder

      # Rebuild node-sass to fix platform compatibility issues (only if not cached)
      - task: Npm@1
        displayName: 'rebuild node-sass'
        condition: ne(variables['CacheRestored'], 'true')
        inputs:
          command: 'custom'
          customCommand: 'rebuild node-sass'
          workingDir: $(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/src/${{ parameters.applicationSourceFolderName }}

      # Run the complete front-end build process with optimizations
      - task: gulp@0
        displayName: 'gulp __Build-All__ (optimized)'
        inputs:
          gulpFile: $(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/src/${{ parameters.applicationSourceFolderName }}/gulpfile.js
          targets: '__Build-All__'
          arguments: '--parallel --incremental'
        env:
          NODE_OPTIONS: '--max-old-space-size=4096'

      # =============================================================================================
      # NUGET PACKAGE RESTORE
      # =============================================================================================
      # Restore NuGet packages before building the .NET solution
      - task: PowerShell@2
        displayName: 'Restore NuGet Packages'
        inputs:
          targetType: 'inline'
          script: |
            $env:CBS_TELERIK_NUGET_KEY = "****************"
            $env:CBS_NUGET_KEY = "****************"
            dotnet restore $(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/${{ parameters.applicationName }}.sln --configfile $(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/.nuget/NuGet.DevOps.config

      # =============================================================================================
      # APPLICATION COMPILATION (WITH SONARQUBE ANALYSIS)
      # =============================================================================================
      # Build and publish the application using the .NET CLI
      - task: DotNetCoreCLI@2
        displayName: "Build ${{ parameters.applicationName }}"
        env:
          PostSharpLicense: $(postSharpLicenseKey)
        inputs:
          command: "build"
          publishWebProjects: false
          projects: "$(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/${{ parameters.applicationName }}.sln"
          zipAfterPublish: false
          modifyOutputPath: false
          workingDirectory: "$(Build.SourcesDirectory)/$(ExtractRepoNames.CleanDriverWebsiteRepoName)/"
          platform: ${{ parameters.buildPlatform }}
          arguments: "--no-restore --configuration ${{ parameters.buildConfiguration }}"
          script: |
            echo "Building application..."
            echo "Application Name: ${{ parameters.applicationName }}"
            echo "Build Configuration: ${{ parameters.buildConfiguration }}"
            echo "Build Platform: ${{ parameters.buildPlatform }}"
            echo "Output Directory: $(Build.ArtifactStagingDirectory)"

      # =============================================================================================
      # SONARQUBE ANALYSIS (RUN)
      # =============================================================================================
      # Run SonarQube analysis on the built code
      - task: SonarQubeAnalyze@7
        displayName: 'Run SonarQube Analysis'
        inputs:
          jdkversion: 'JAVA_HOME_17_X64'

      # =============================================================================================
      # SONARQUBE ANALYSIS (PUBLISH)
      # =============================================================================================
      # Publish the SonarQube quality gate result and fail the build if the gate is not passed
      - task: SonarQubePublish@7
        displayName: 'Publish SonarQube Quality Gate Result'
        inputs:
          pollingTimeoutSec: '300'

logs_274982.zip (434.2 KB)

Hi Simon,

Please create a new thread for the other project since it’s now a different error.

For this project, it’s time to go nuclear: sonar.text.activate=false. This will entirely disable the sensor that’s giving you trouble. Sorry I didn’t give you this earlier, but I couldn’t find it. (Adding it to the public docs is now on the list.)

 
Ann

7 posts were split to a new topic: License error submitting analysis