Performance degradation of findbugs analysis

Stoyan_Kanev · June 20, 2018, 9:18am

Hello,
Template for a good bug report:

versions used
SonarQube 6.7.3
Maven Scanner 3.4.0.905
Plugins:
- SonarJava 5.2.0.13398
- Findbugs 3.7.0
error observed:
— Sensor FindBugs Sensor [findbugs] (done) | time=240320ms (2 times slower than older version SQ 6.4.0, SoanrJava 4.15.12310, FindBugs 3.6.0)
We have only squid rules. Is it possible to be disabled FindBugs sensor if there are no finbugs rules into the project assigned quality profile?

Best Regards,
Stoyan

NicoB · June 20, 2018, 12:12pm

Hi Stoyan,

Please be aware that the FindBugs plugin is a 3rd-party contribution, so we can’t help much with it (we maintain the in-house analyzers, such as SonarJava). If need be you can get in touch with the FindBugs community here: GitHub - spotbugs/sonar-findbugs: SpotBugs plugin for SonarQube .

b2s · June 20, 2018, 3:57pm

My experience: Newer versions of the FindBugs Sensor also analyse the binaries. We could get back to the previous runtime by having only the class files matching the (module’s) Java sources in the (module’s) binaries path(s).

Imported libraries (not analysed) can be put into the java.library.path.

Stoyan_Kanev · June 22, 2018, 6:56am

Hi Nikolas,

Thanks for the prompt response! It is strange for me that this query (SonarQube v7.1,
“Sonar way” QProfile) http://localhost:9000/coding_rules?languages=java&q=findsecbugs&repositories=squid returns 17 results of rules. Some of them a part of “Sonar way”
Having a look at the FindBugs plugin: https://github.com/spotbugs/sonar-findbugs/blob/master/src/main/java/org/sonar/plugins/findbugs/FindbugsSensor.java#L109
and ‘activeRule.getRepositoryKey().contains(“findsecbugs”)’ it explains why a FindBugs sensor is activated.
Do you have any proposals how can it be fixed?

-Stoyan