PR issue - This analysis will make your organization ‘xxx’ to reach the maximum allowed lines limit

Hello,

We are using the GitHub Actions CI/CD pipelines to analyse our code. We have only two branches for which we’ve enabled github actions to run, master and development (clone of the master branch), so that means the code analysis is done only for this two branches.

On the root project we have a sonar-project.properties file where we specify that we want to analyze only two subpaths:

sonar.sources = application/
sonar.inclusions = application/models/ ** / *, application/controllers/ ** / *

The workflow file for sonar cloud analysis is configured to run using this configuration:

jobs:
sonarcloud:
name: SonarCloud
runs-on: ubuntu-latest
environment: ${{ github.ref_name }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

On github, a branch protecion rule is enabled for the master branch that requires a successful sonar code analysis before the PR can be merged, so that means that the development branch needs to have a successful sonar code analysis result in order to be able to merge it with the master branch.

After successfully merging the pull request (from development to master), a code analysis is run for the merged pulled request commit and this analysis has a “Failed” status on the SonarQube cloud website when accessing the project Administration → Background Tasks section. On the failed task, When I press the “Show Error Details”, it says “This analysis will make your organization 'xxx' to reach the maximum allowed lines limit (having 201022 lines). Please contact the administrator of the organization to resolve this issue.”. Checking the id of the failed analysis, AZOH_uaa3v9VhC9ZGkX1, I can see the same error.

Our current plan has 200k private lines of code, and in the “Billing & Upgrade” section it shows that our projects have in total 198,311 lines of code analyzed, so we still have 1689 LOC until we reach the limit.

So I don’t understand why the development branch passed the sonar cloud code analysis (task id AZOL6BIZ3v9VhC9ZG7WT), but the code analysis done on the master branch is failing (task id AZOH_uaa3v9VhC9ZGkX1)? I’ve checked the commits from the development branch that are pushed on the master branch and the lines added in the scanned folders, application/models and application/controllers, are under 100 LOC, so not even near the 1689 LOC that we still have until we reach the limit. So it’s not clear why this issue happens, how can I debug it? Is it possible that when SonarCloud makes the LOC limit checks to consider all the LOC from the “application” folder (mentioned in sonar.sources property) instead of counting only the lines from “application/models” and “application/controllers” mentioned in sonar.inclusions property ?

Hi,

Welcome to the community!

I suspect something has gone sideways with your sources and inclusions configurations.

As a side note, sonar.sources accepts a comma-delimited list, so this would be a (marginally) better configuration:

sonar.sources application/models,application/controllers

Can you share your analysis log?

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

 
Ann

Hello Ann,

Like I’ve mentioned above, we are using GitHub Actions CI integration for analyzing the source code as mentioned in this documentation. I’ve also did some tests by using the SonarScanner CLI mentioned here and the results are the same.

Below is the output from the code analyziz done with GitHub Actions:

/usr/bin/docker run --name ae28556f34fc587c490894691036d5b6cd8c_bd7050 --label 18ae28 --workdir /github/workspace --rm -e "GITHUB_TOKEN" -e "SONAR_TOKEN" -e "INPUT_ARGS" -e "INPUT_PROJECTBASEDIR" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true --entrypoint "/entrypoint.sh" -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/project_name/project_name":"/github/workspace" 18ae28:556f34fc587c490894691036d5b6cd8c
09:58:07.800 INFO  Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
09:58:07.803 INFO  Project root configuration file: /github/workspace/sonar-project.properties
09:58:07.820 INFO  SonarScanner CLI 6.2.1.4610
09:58:07.822 INFO  Java 17.0.12 Amazon.com Inc. (64-bit)
09:58:07.823 INFO  Linux 6.5.0-1025-azure amd64
09:58:07.851 INFO  User cache: /opt/sonar-scanner/.sonar/cache
09:58:08.764 INFO  JRE provisioning: os[linux], arch[x86_64]
09:58:12.885 INFO  Communicating with SonarCloud
09:58:13.224 INFO  Starting SonarScanner Engine...
09:58:13.229 INFO  Java 17.0.11 Eclipse Adoptium (64-bit)
09:58:14.378 INFO  Load global settings
09:58:14.894 INFO  Load global settings (done) | time=516ms
09:58:14.899 INFO  Server id: 1BD809FA-AWHW8ct9-T_TB3XqouNu
09:58:15.208 INFO  Loading required plugins
09:58:15.210 INFO  Load plugins index
09:58:15.344 INFO  Load plugins index (done) | time=134ms
09:58:15.346 INFO  Load/download plugins
09:58:16.555 INFO  Load/download plugins (done) | time=1210ms
09:58:17.008 INFO  Found an active CI vendor: 'Github Actions'
09:58:17.024 INFO  Load project settings for component key: 'projectKey'
09:58:17.149 INFO  Load project settings for component key: 'projectKey' (done) | time=124ms
09:58:17.155 INFO  Process project properties
09:58:17.162 INFO  Project key: projectKey
09:58:17.164 INFO  Base dir: /github/workspace
09:58:17.166 INFO  Working dir: /github/workspace/.scannerwork
09:58:17.167 INFO  Load project branches
09:58:17.389 INFO  Load project branches (done) | time=222ms
09:58:17.391 INFO  Check ALM binding of project 'projectKey'
09:58:17.496 INFO  Detected project binding: BOUND
09:58:17.496 INFO  Check ALM binding of project 'projectKey' (done) | time=104ms
09:58:17.499 INFO  Load project pull requests
09:58:17.613 INFO  Load project pull requests (done) | time=114ms
09:58:17.617 INFO  Load branch configuration
09:58:17.618 INFO  Github event: push
09:58:17.622 INFO  Auto-configuring branch master
09:58:17.626 INFO  Load branch configuration (done) | time=7ms
09:58:17.636 INFO  Load quality profiles
09:58:17.945 INFO  Load quality profiles (done) | time=308ms
09:58:17.953 INFO  Load active rules
09:58:25.346 INFO  Load active rules (done) | time=7393ms
09:58:25.508 INFO  Organization key: organization_key
09:58:25.513 INFO  Branch name: master, type: long-lived
09:58:25.528 INFO  Preprocessing files...
09:58:27.031 INFO  1 language detected in 2113 preprocessed files
09:58:27.033 INFO  1018 files ignored because of inclusion/exclusion patterns
09:58:27.035 INFO  0 files ignored because of scm ignore settings
09:58:27.066 INFO  Loading plugins for detected languages
09:58:27.067 INFO  Load/download plugins
09:58:27.493 INFO  Load/download plugins (done) | time=426ms
09:58:27.580 INFO  Load project repositories
09:58:28.414 INFO  Load project repositories (done) | time=834ms
09:58:28.417 INFO  Indexing files...
09:58:28.422 INFO  Project configuration:
09:58:28.423 INFO    Included sources: application/models/**/*, application/controllers/**/*
09:58:28.426 INFO    Excluded sources: **/build-wrapper-dump.json
09:58:29.462 INFO  2113 files indexed
09:58:29.471 INFO  Quality profile for php: Rules_disabled
09:58:29.473 INFO  ------------- Run sensors on module projectKey
09:58:29.520 INFO  Load metrics repository
09:58:29.634 INFO  Load metrics repository (done) | time=115ms
09:58:29.641 INFO  Sensor cache enabled
09:58:29.907 INFO  Load sensor cache
09:58:32.159 INFO  Load sensor cache (5 MB) | time=2252ms
09:58:32.964 INFO  Sensor HTML [web]
09:58:33.677 INFO  Sensor HTML [web] (done) | time=713ms
09:58:33.679 INFO  Sensor JaCoCo XML Report Importer [jacoco]
09:58:33.682 INFO  'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
09:58:33.683 INFO  No report imported, no coverage information will be imported by JaCoCo XML Report Importer
09:58:33.684 INFO  Sensor JaCoCo XML Report Importer [jacoco] (done) | time=4ms
09:58:33.686 INFO  Sensor PHP sensor [php]
09:58:33.748 INFO  Starting PHP symbol indexer
09:58:33.761 INFO  2113 source files to be analyzed
09:58:43.769 INFO  1672/2113 files analyzed, current file: application/controllers/subpath/file_name.php
09:58:45.880 INFO  2113/2113 source files have been analyzed
09:58:45.882 INFO  Cached information of global symbols will be used for 0 out of 2113 files. Global symbols were recomputed for the remaining files.
09:58:45.924 INFO  Starting PHP rules
09:58:45.927 INFO  2113 source files to be analyzed
09:58:55.927 INFO  376/2113 files analyzed, current file: application/models/subpath/file_name.php
09:59:05.927 INFO  798/2113 files analyzed, current file: application/controllers/subpath/file_name.php
09:59:15.928 INFO  1284/2113 files analyzed, current file: application/controllers/subpath/file_name.php
09:59:29.997 WARN  Failed to resolve 3898 include/require statements like 'application/controllers/subpath/file_name.php' from 'br', 'application/helpers/file_name.php' from 'folder_name'
09:59:30.008 INFO  2113/2113 source files have been analyzed
09:59:30.009 INFO  The PHP analyzer was able to leverage cached data from previous analyses for 0 out of 2113 files. These files were not parsed.
09:59:30.010 INFO  Sensor PHP sensor [php] (done) | time=56323ms
09:59:30.011 INFO  Sensor Analyzer for "php.ini" files [php]
09:59:30.017 INFO  Sensor Analyzer for "php.ini" files [php] (done) | time=8ms
09:59:30.018 INFO  Sensor PHPUnit report sensor [php]
09:59:30.019 INFO  No PHPUnit tests reports provided (see 'sonar.php.tests.reportPath' property)
09:59:30.020 INFO  No PHPUnit coverage reports provided (see 'sonar.php.coverage.reportPaths' property)
09:59:30.068 INFO  Sensor PHPUnit report sensor [php] (done) | time=51ms
09:59:30.070 INFO  Sensor Java Config Sensor [iac]
09:59:30.101 INFO  0 source files to be analyzed
09:59:30.101 INFO  0/0 source files have been analyzed
09:59:30.102 INFO  Sensor Java Config Sensor [iac] (done) | time=33ms
09:59:30.102 INFO  Sensor IaC Docker Sensor [iac]
09:59:30.211 INFO  0 source files to be analyzed
09:59:30.212 INFO  0/0 source files have been analyzed
09:59:30.214 INFO  Sensor IaC Docker Sensor [iac] (done) | time=112ms
09:59:30.217 INFO  Sensor Serverless configuration file sensor [security]
09:59:30.220 INFO  0 Serverless function entries were found in the project
09:59:30.223 INFO  0 Serverless function handlers were kept as entrypoints
09:59:30.223 INFO  Sensor Serverless configuration file sensor [security] (done) | time=6ms
09:59:30.225 INFO  Sensor AWS SAM template file sensor [security]
09:59:30.227 INFO  Sensor AWS SAM template file sensor [security] (done) | time=2ms
09:59:30.228 INFO  Sensor AWS SAM Inline template file sensor [security]
09:59:30.229 INFO  Sensor AWS SAM Inline template file sensor [security] (done) | time=1ms
09:59:30.230 INFO  Sensor EnterpriseTextAndSecretsSensor [textenterprise]
09:59:30.231 INFO  Available processors: 2
09:59:30.232 INFO  Using 2 threads for analysis.
09:59:30.803 INFO  The property "sonar.tests" is not set. To improve the analysis accuracy, we categorize a file as a test file if any of the following is true:
  * The filename starts with "test"
  * The filename contains "test." or "tests."
  * Any directory in the file path is named: "doc", "docs", "test" or "tests"
  * Any directory in the file path has a name ending in "test" or "tests"

09:59:30.848 INFO  Using git CLI to retrieve untracked files
09:59:30.860 WARN  Analyzing only language associated files, make sure to run the analysis inside a git repository to make use of inclusions specified via "sonar.text.inclusions"
09:59:31.066 INFO  2113 source files to be analyzed
09:59:41.066 INFO  2063/2113 files analyzed, current files: application/models/subpath/file_name.php, application/models/subpath/file_name.php
09:59:41.144 INFO  2113/2113 source files have been analyzed
09:59:41.148 INFO  Sensor EnterpriseTextAndSecretsSensor [textenterprise] (done) | time=10917ms
09:59:41.149 INFO  Sensor JavaSecuritySensor [security]
09:59:41.151 INFO  Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5147, S5334, S5496, S5883, S6096, S6173, S6287, S6350, S6384, S6390, S6398, S6399, S6547, S6549, S7044
09:59:41.152 INFO  Load type hierarchy and UCFGs: Starting
09:59:41.153 INFO  Load type hierarchy: Starting
09:59:41.154 INFO  Reading type hierarchy from: /github/workspace/.scannerwork/ucfg2/java
09:59:41.155 INFO  Read 0 type definitions
09:59:41.156 INFO  Load type hierarchy: Time spent was 00:00:00.001
09:59:41.157 INFO  Load UCFGs: Starting
09:59:41.157 INFO  Load UCFGs: Time spent was 00:00:00.000
09:59:41.158 INFO  Load type hierarchy and UCFGs: Time spent was 00:00:00.002
09:59:41.159 INFO  No UCFGs have been included for analysis.
09:59:41.166 INFO  java security sensor: Time spent was 00:00:00.015
09:59:41.167 INFO  java security sensor: Begin: 2024-12-03T09:59:41.150748317Z, End: 2024-12-03T09:59:41.165932616Z, Duration: 00:00:00.015
  Load type hierarchy and UCFGs: Begin: 2024-12-03T09:59:41.152748365Z, End: 2024-12-03T09:59:41.154983092Z, Duration: 00:00:00.002
    Load type hierarchy: Begin: 2024-12-03T09:59:41.152822794Z, End: 2024-12-03T09:59:41.154204686Z, Duration: 00:00:00.001
    Load UCFGs: Begin: 2024-12-03T09:59:41.154756368Z, End: 2024-12-03T09:59:41.154907590Z, Duration: 00:00:00.000
09:59:41.168 INFO  java security sensor peak memory: 283 MB
09:59:41.169 INFO  Sensor JavaSecuritySensor [security] (done) | time=21ms
09:59:41.171 INFO  Sensor CSharpSecuritySensor [security]
09:59:41.174 INFO  Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5147, S5334, S5883, S6096, S6173, S6287, S6350, S6399, S6547, S6549, S6639, S6641, S6680, S6776, S7044
09:59:41.177 INFO  Load type hierarchy and UCFGs: Starting
09:59:41.179 INFO  Load type hierarchy: Starting
09:59:41.180 INFO  Reading type hierarchy from: /github/workspace/ucfg2/cs
09:59:41.181 INFO  Read 0 type definitions
09:59:41.181 INFO  Load type hierarchy: Time spent was 00:00:00.003
09:59:41.181 INFO  Load UCFGs: Starting
09:59:41.182 INFO  Load UCFGs: Time spent was 00:00:00.000
09:59:41.183 INFO  Load type hierarchy and UCFGs: Time spent was 00:00:00.006
09:59:41.183 INFO  No UCFGs have been included for analysis.
09:59:41.184 INFO  csharp security sensor: Time spent was 00:00:00.010
09:59:41.185 INFO  csharp security sensor: Begin: 2024-12-03T09:59:41.173725641Z, End: 2024-12-03T09:59:41.184511870Z, Duration: 00:00:00.010
  Load type hierarchy and UCFGs: Begin: 2024-12-03T09:59:41.176932454Z, End: 2024-12-03T09:59:41.183029990Z, Duration: 00:00:00.006
    Load type hierarchy: Begin: 2024-12-03T09:59:41.177284933Z, End: 2024-12-03T09:59:41.181256576Z, Duration: 00:00:00.003
    Load UCFGs: Begin: 2024-12-03T09:59:41.181824537Z, End: 2024-12-03T09:59:41.182093299Z, Duration: 00:00:00.000
09:59:41.187 INFO  csharp security sensor peak memory: 283 MB
09:59:41.187 INFO  Sensor CSharpSecuritySensor [security] (done) | time=16ms
09:59:41.189 INFO  Sensor PhpSecuritySensor [security]
09:59:41.189 INFO  Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5334, S5335, S5883, S6173, S6287, S6350, S7044
09:59:41.190 INFO  Load type hierarchy and UCFGs: Starting
09:59:41.190 INFO  Load type hierarchy: Starting
09:59:41.191 INFO  Reading type hierarchy from: /github/workspace/.scannerwork/ucfg2/php
09:59:41.450 INFO  Read 2336 type definitions
09:59:41.469 INFO  Load type hierarchy: Time spent was 00:00:00.278
09:59:41.470 INFO  Load UCFGs: Starting
09:59:41.470 INFO  Reading UCFGs from: /github/workspace/.scannerwork/ucfg2/php
09:59:43.791 INFO  Load UCFGs: Time spent was 00:00:02.321
09:59:43.792 INFO  Load type hierarchy and UCFGs: Time spent was 00:00:02.601
09:59:43.794 INFO  Analyzing 10100 UCFGs to detect vulnerabilities.
09:59:43.795 INFO  Check cache: Starting
09:59:43.795 INFO  Load cache: Starting
09:59:43.796 INFO  Load cache: Time spent was 00:00:00.000
09:59:43.796 INFO  Check cache: Time spent was 00:00:00.000
09:59:43.797 INFO  Create runtime call graph: Starting
09:59:43.798 INFO  Create declared type propagation graph: Starting
09:59:44.371 INFO  Create declared type propagation graph: Time spent was 00:00:00.570
09:59:44.373 INFO  Run SCC (Tarjan) on 53243 nodes: Starting
09:59:44.441 INFO  Run SCC (Tarjan) on 53243 nodes: Time spent was 00:00:00.067
09:59:44.442 INFO  Tarjan found 52552 strongly connected components
09:59:44.442 INFO  Propagate runtime types to strongly connected components: Starting
09:59:44.588 INFO  Propagate runtime types to strongly connected components: Time spent was 00:00:00.146
09:59:44.600 INFO  Variable Type Analysis #1: Starting
09:59:44.601 INFO  Create runtime type propagation graph: Starting
09:59:45.325 INFO  Create runtime type propagation graph: Time spent was 00:00:00.721
09:59:45.326 INFO  Run SCC (Tarjan) on 64230 nodes: Starting
09:59:45.383 INFO  Run SCC (Tarjan) on 64230 nodes: Time spent was 00:00:00.056
09:59:45.385 INFO  Tarjan found 62923 strongly connected components
09:59:45.386 INFO  Propagate runtime types to strongly connected components: Starting
09:59:45.695 INFO  Propagate runtime types to strongly connected components: Time spent was 00:00:00.308
09:59:45.697 INFO  Variable Type Analysis #1: Time spent was 00:00:01.095
09:59:45.697 INFO  Variable Type Analysis #2: Starting
09:59:45.697 INFO  Create runtime type propagation graph: Starting
09:59:46.246 INFO  Create runtime type propagation graph: Time spent was 00:00:00.549
09:59:46.247 INFO  Run SCC (Tarjan) on 60207 nodes: Starting
09:59:46.299 INFO  Run SCC (Tarjan) on 60207 nodes: Time spent was 00:00:00.052
09:59:46.300 INFO  Tarjan found 59555 strongly connected components
09:59:46.300 INFO  Propagate runtime types to strongly connected components: Starting
09:59:46.461 INFO  Propagate runtime types to strongly connected components: Time spent was 00:00:00.161
09:59:46.462 INFO  Variable Type Analysis #2: Time spent was 00:00:00.765
09:59:46.469 INFO  Create runtime call graph: Time spent was 00:00:02.677
09:59:46.470 INFO  Load config: Starting
09:59:46.731 INFO  Load config: Time spent was 00:00:00.261
09:59:46.735 INFO  Compute entry points: Starting
09:59:49.155 INFO  Compute entry points: Time spent was 00:00:02.420
09:59:49.156 INFO  All rules entry points : 32
09:59:49.157 INFO  Slice call graph: Starting
09:59:49.158 INFO  Retained UCFGs : 294
09:59:49.168 INFO  Slice call graph: Time spent was 00:00:00.009
09:59:49.169 INFO  Live variable analysis: Starting
09:59:49.224 INFO  Live variable analysis: Time spent was 00:00:00.058
09:59:49.225 INFO  Taint analysis for php: Starting
09:59:49.235 INFO  0 / 294 UCFGs simulated, memory usage: 417 MB
09:59:49.666 INFO  292 / 294 UCFGs simulated, memory usage: 450 MB
09:59:49.667 INFO  Taint analysis for php: Time spent was 00:00:00.440
09:59:49.668 INFO  Report issues: Starting
09:59:49.669 INFO  Report issues: Time spent was 00:00:00.002
09:59:49.673 INFO  Store cache: Starting
09:59:49.686 INFO  Store cache: Time spent was 00:00:00.013
09:59:49.687 INFO  php security sensor: Time spent was 00:00:08.498
09:59:49.689 INFO  php security sensor: Begin: 2024-12-03T09:59:41.189356764Z, End: 2024-12-03T09:59:49.687492562Z, Duration: 00:00:08.498
  Load type hierarchy and UCFGs: Begin: 2024-12-03T09:59:41.189895612Z, End: 2024-12-03T09:59:43.791510665Z, Duration: 00:00:02.601
    Load type hierarchy: Begin: 2024-12-03T09:59:41.190459766Z, End: 2024-12-03T09:59:41.468844389Z, Duration: 00:00:00.278
    Load UCFGs: Begin: 2024-12-03T09:59:41.470076812Z, End: 2024-12-03T09:59:43.791337412Z, Duration: 00:00:02.321
  Check cache: Begin: 2024-12-03T09:59:43.791609791Z, End: 2024-12-03T09:59:43.791978049Z, Duration: 00:00:00.000
    Load cache: Begin: 2024-12-03T09:59:43.791635318Z, End: 2024-12-03T09:59:43.791673750Z, Duration: 00:00:00.000
  Create runtime call graph: Begin: 2024-12-03T09:59:43.792055624Z, End: 2024-12-03T09:59:46.469540714Z, Duration: 00:00:02.677
    Create declared type propagation graph: Begin: 2024-12-03T09:59:43.798665488Z, End: 2024-12-03T09:59:44.369004772Z, Duration: 00:00:00.570
    Run SCC (Tarjan) on 53243 nodes: Begin: 2024-12-03T09:59:44.373584902Z, End: 2024-12-03T09:59:44.441114706Z, Duration: 00:00:00.067
    Propagate runtime types to strongly connected components: Begin: 2024-12-03T09:59:44.441397334Z, End: 2024-12-03T09:59:44.588155898Z, Duration: 00:00:00.146
    Variable Type Analysis #1: Begin: 2024-12-03T09:59:44.600070276Z, End: 2024-12-03T09:59:45.695657730Z, Duration: 00:00:01.095
      Create runtime type propagation graph: Begin: 2024-12-03T09:59:44.600794550Z, End: 2024-12-03T09:59:45.322459099Z, Duration: 00:00:00.721
      Run SCC (Tarjan) on 64230 nodes: Begin: 2024-12-03T09:59:45.326237130Z, End: 2024-12-03T09:59:45.382725205Z, Duration: 00:00:00.056
      Propagate runtime types to strongly connected components: Begin: 2024-12-03T09:59:45.386615335Z, End: 2024-12-03T09:59:45.695423201Z, Duration: 00:00:00.308
    Variable Type Analysis #2: Begin: 2024-12-03T09:59:45.696154879Z, End: 2024-12-03T09:59:46.461424164Z, Duration: 00:00:00.765
      Create runtime type propagation graph: Begin: 2024-12-03T09:59:45.696224048Z, End: 2024-12-03T09:59:46.245908672Z, Duration: 00:00:00.549
      Run SCC (Tarjan) on 60207 nodes: Begin: 2024-12-03T09:59:46.246117923Z, End: 2024-12-03T09:59:46.299113170Z, Duration: 00:00:00.052
      Propagate runtime types to strongly connected components: Begin: 2024-12-03T09:59:46.299340675Z, End: 2024-12-03T09:59:46.461228849Z, Duration: 00:00:00.161
  Load config: Begin: 2024-12-03T09:59:46.469644337Z, End: 2024-12-03T09:59:46.731217176Z, Duration: 00:00:00.261
  Compute entry points: Begin: 2024-12-03T09:59:46.735008602Z, End: 2024-12-03T09:59:49.155288948Z, Duration: 00:00:02.420
  Slice call graph: Begin: 2024-12-03T09:59:49.155495885Z, End: 2024-12-03T09:59:49.164948822Z, Duration: 00:00:00.009
  Live variable analysis: Begin: 2024-12-03T09:59:49.165071171Z, End: 2024-12-03T09:59:49.223878041Z, Duration: 00:00:00.058
  Taint analysis for php: Begin: 2024-12-03T09:59:49.225334894Z, End: 2024-12-03T09:59:49.666090713Z, Duration: 00:00:00.440
  Report issues: Begin: 2024-12-03T09:59:49.666240333Z, End: 2024-12-03T09:59:49.669172292Z, Duration: 00:00:00.002
  Store cache: Begin: 2024-12-03T09:59:49.673225969Z, End: 2024-12-03T09:59:49.686658894Z, Duration: 00:00:00.013
09:59:49.699 INFO  php security sensor peak memory: 565 MB
09:59:49.700 INFO  Sensor PhpSecuritySensor [security] (done) | time=8500ms
09:59:49.701 INFO  Sensor PythonSecuritySensor [security]
09:59:49.702 INFO  Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5147, S5334, S5496, S6287, S6350, S6639, S6680, S6776, S6839, S7044
09:59:49.703 INFO  Load type hierarchy and UCFGs: Starting
09:59:49.704 INFO  Load type hierarchy: Starting
09:59:49.704 INFO  Reading type hierarchy from: /github/workspace/.scannerwork/ucfg2/python
09:59:49.705 INFO  Read 0 type definitions
09:59:49.706 INFO  Load type hierarchy: Time spent was 00:00:00.000
09:59:49.706 INFO  Load UCFGs: Starting
09:59:49.707 INFO  Load UCFGs: Time spent was 00:00:00.000
09:59:49.708 INFO  Load type hierarchy and UCFGs: Time spent was 00:00:00.000
09:59:49.709 INFO  No UCFGs have been included for analysis.
09:59:49.709 INFO  python security sensor: Time spent was 00:00:00.000
09:59:49.710 INFO  python security sensor: Begin: 2024-12-03T09:59:49.689601503Z, End: 2024-12-03T09:59:49.690543744Z, Duration: 00:00:00.000
  Load type hierarchy and UCFGs: Begin: 2024-12-03T09:59:49.689980211Z, End: 2024-12-03T09:59:49.690308665Z, Duration: 00:00:00.000
    Load type hierarchy: Begin: 2024-12-03T09:59:49.690012943Z, End: 2024-12-03T09:59:49.690155870Z, Duration: 00:00:00.000
    Load UCFGs: Begin: 2024-12-03T09:59:49.690212145Z, End: 2024-12-03T09:59:49.690263331Z, Duration: 00:00:00.000
09:59:49.712 INFO  python security sensor peak memory: 565 MB
09:59:49.712 INFO  Sensor PythonSecuritySensor [security] (done) | time=2ms
09:59:49.713 INFO  Sensor JsSecuritySensor [security]
09:59:49.714 INFO  Enabled taint analysis rules: S2076, S5146, S6096, S5131, S2631, S6350, S5696, S6287, S5147, S5144, S2083, S3649, S5334, S5883, S6105
09:59:49.714 INFO  Load type hierarchy and UCFGs: Starting
09:59:49.715 INFO  Load type hierarchy: Starting
09:59:49.715 INFO  Reading type hierarchy from: /github/workspace/.scannerwork/ucfg2/js
09:59:49.715 INFO  Read 0 type definitions
09:59:49.715 INFO  Load type hierarchy: Time spent was 00:00:00.000
09:59:49.715 INFO  Load UCFGs: Starting
09:59:49.716 INFO  Load UCFGs: Time spent was 00:00:00.000
09:59:49.716 INFO  Load type hierarchy and UCFGs: Time spent was 00:00:00.000
09:59:49.724 INFO  No UCFGs have been included for analysis.
09:59:49.724 INFO  js security sensor: Time spent was 00:00:00.000
09:59:49.725 INFO  js security sensor: Begin: 2024-12-03T09:59:49.692119520Z, End: 2024-12-03T09:59:49.692873579Z, Duration: 00:00:00.000
  Load type hierarchy and UCFGs: Begin: 2024-12-03T09:59:49.692415683Z, End: 2024-12-03T09:59:49.692660320Z, Duration: 00:00:00.000
    Load type hierarchy: Begin: 2024-12-03T09:59:49.692440389Z, End: 2024-12-03T09:59:49.692547850Z, Duration: 00:00:00.000
    Load UCFGs: Begin: 2024-12-03T09:59:49.692597794Z, End: 2024-12-03T09:59:49.692622299Z, Duration: 00:00:00.000
09:59:49.727 INFO  js security sensor peak memory: 565 MB
09:59:49.727 INFO  Sensor JsSecuritySensor [security] (done) | time=4ms
09:59:49.728 INFO  ------------- Run sensors on project
09:59:49.831 INFO  Sensor Zero Coverage Sensor
09:59:50.079 INFO  Sensor Zero Coverage Sensor (done) | time=248ms
09:59:50.206 INFO  SCM Publisher SCM provider for this project is: git
09:59:50.207 INFO  SCM Publisher 116 source files to be analyzed
09:59:55.958 INFO  SCM Publisher 116/116 source files have been analyzed (done) | time=5752ms
09:59:56.083 INFO  CPD Executor 290 files had no CPD blocks
09:59:56.084 INFO  CPD Executor Calculating CPD for 1823 files
09:59:56.394 INFO  CPD Executor CPD calculation finished (done) | time=311ms
09:59:57.230 INFO  Analysis report generated in 542ms, dir size=7 MB
10:00:02.259 INFO  Analysis report compressed in 5029ms, zip size=5 MB
10:00:03.226 INFO  Analysis report uploaded in 967ms
10:00:03.229 INFO  ANALYSIS SUCCESSFUL, you can find the results at: https://sonarcloud.io/dashboard?id=projectKey&branch=master
10:00:03.230 INFO  Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
10:00:03.231 INFO  More about the report processing at https://sonarcloud.io/api/ce/task?id=AZOL9mzrVpzu8ZlzAwIk
10:00:05.786 INFO  Sensor cache published successfully
10:00:06.369 INFO  Analysis total time: 1:49.633 s
10:00:06.370 INFO  SonarScanner Engine completed successfully
10:00:06.706 INFO  EXECUTION SUCCESS
10:00:06.708 INFO  Total time: 1:58.911s

And as a side note, the sonarqube-scan-action is mentioned as deprecated and the sonarqube-scan-action is recommended to be used. But on your official documentation the examples still use the sonarqube-scan-action. You should update the documentation.

Hi,

Does this number seem about right to you?

Versus 116 files with SCM metadata?

Is it possible that files are being generated into these directories?

 
Ann

Hi Ann,

Yes, I’ve installed in PhpStorm a plugin called Statistic and this are the number of files from the two directories, models and controllers.

I don’t know what SCM medatada is and what that number of 116 files represent. Can you give me more details about this?

When the build is run, no data is generated inside this two directories.

When using the SonarScanner CLI, I’ve also used the debug paramete in the command line and it generated a debug with over 8k of lines. Will this help if I send it privately to you?

Hi,

SCM (source control management) metadata is created when you check files in/out of source control, Git / GitHub in your case. So it’s strange that in a project with 2113 files, only 116 were checked out of GitHub. Nearly 2k files… “appeared” in the project between checkout and analysis. Where did they come from if they weren’t generated?

Going back to your initial post,

How big was this PR?

 
Ann

Hi,

Like I’ve said above, I’ve installed a plugin that counts files inside the application/controllers and application/models. The count is done on the project cloned on my PC, so this is the real number of files that we have on this two folders. No other files are generated at any time on this folders.
Below you have the proof with the files counted by the Statistic plugin for the application/controllers and application/models folder.


And like I’ve aslo mentioned above, the same output is given if I run the analysis from the command line using the SonarScanner CLI command: sonar-scanner -Dsonar.organization=organization_name -Dsonar.projectKey=project_key -Dsonar.token=scan_token

And from what I read here and here, the SCM metadata is used for various features. The actual checkout of the files is made by the checkout@v4 action as I’ve wrote on the first post:

jobs:
sonarcloud:
name: SonarCloud
runs-on: ubuntu-latest
environment: ${{ github.ref_name }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

Hi,

I’m just trying to figure out where the extra lines came from. You say you’re at 198,311 lines of code, and after merge the branch is coming in at 201,022. On the one hand, that’s only 2,711 lines of code. You were already bumping up to almost the limit of your license. On the other hand, a 2.7k LOC PR seems like a lot.

Without access to your systems, and an otherwise-normal-looking analysis log… there’s not much else I can do here.

The inclusions seem to be working as designed:

So I guess you’re going to have to take a closer look at that PR.

 
HTH,
Ann

Hi Ann,

I’ve used the git log command and took a look on all of our projects that we have on SonarCloud and found out that during the period when the first code analysis failed, a lot of code was added on multiple projects which seem to be the reason why the LOC limit have been reached.

git log --since=“2024-11-21” --until=“2024-11-29” --pretty=tformat: --numstat application/models application/controllers | awk ‘{added += $1; deleted += $2} END {print "Added lines: " added "\nDeleted lines: " deleted "\nTotal added lines: " added - deleted}’

Thank you for your support!

1 Like