Performance issue with SonarCloud Java Scanner

We have been facing severe performance issues with SonarCloud ajava scanner while scannin gour code base on SVN. It is a private project. When we started using SonarCloud last year, runtime was around 40 minutes for the entire pipeline to complete. We use an agent hosted on a private cloud setup and can handle only one pipeline job at a time.

Based on online suggestions, we deactivated certain security related rules from SinarCloud JAVA quality profile. Though it worked for few days again, we started same performance issues again. We are not using default Sonar Way quality profile and have a separate copy of the default quality profile.

We increased timeout from default 0 to 180 minutes in all the tasks. However, the pipeline (DevOps) runs for 3 hours and then times out resulting in incomplete scans.

The pipeline itself looks good. It has:

  1. Link to SVN Azure link
  2. Task to prepare analysis for SonarCloud
  3. Ant Build.xml
  4. Run Code Analysis
  5. Publish Quality Gate Result.

The failure due to slow performance and time out is stage 4: Run Code Analysis.

Welcome to the community!

Do you have some stats about analysis time? That is, the duration of the Run Code Analysis step, over time?

Note that there are several factors that may affect the duration of the analysis:

  • The number of lines of code analyzed
  • The complexity of the code analyzed, the size of files analyzed
  • The included rules
  • The languages analyzed
  • The runtime environment, CPU, memory

According to our internal stats, the performance of the Java analyzer hasn’t changed recently. However, the JavaScript analyzer has been improved to detect more security issues, and this has resulted in some slowness. Is your code exclusively Java?

I have some ideas to understand and possibly to remediate:

  • review the output of the scanner to identify the slowest steps
  • has your code base changed significantly over time?
    • has the number of lines increased significantly?
    • are there new very large files or very complex code?
    • are there new languages that were not analyzed before?
      (more lines to analyze, more complex code, extremely large files)
  • does the scanner have enough memory to do its job? See if increasing the maximum heap helps.

I hope this helps!