Simulating UCFGs for Kotlin takes an extremely long time

We have a Kotlin codebase that is having trouble with our scans. The UCFGs simulated step appears to hang. This used to take around 3 minutes but now our CI jobs timeout after an hour. I did run the scan locally on my Mac and it took 29 minutes for the Kotlin taint analysis to finish. I’ve tried running with mvn -X and other log settings but there is nothing obvious in the output.

System Information

• Sonarqube Server - v2026.1
• Sonarqube Maven Plugin - 5.0.0.4389
• Kotlin

Portion of output before the problem.

[INFO] Retained UCFGs : 5689
[DEBUG] Slice call graph: Time spent was 00:00:00.046
[DEBUG] Live variable analysis: Starting
[DEBUG] Live variable analysis: Time spent was 00:00:00.065
[DEBUG] Taint analysis for kotlin: Starting
[INFO] 0 / 5689 UCFGs simulated, memory usage: 1810 MB
Scanner Hangs here

Hi,

Could we have this log, redacted as necessary?

 
Thx,
Ann

Hi @ganncamp ,

Here is the log, let me know if you need anything else!

debug.log (12.4 MB)

Hi,

Thanks for the log! I’ve flagged this for the experts. They’re likely to ask you for the UCFGs.

 
Ann

Hey @Donald_Renner,

thanks for reporting this .

As @ganncamp already said, we will need the UCFGs to be able to investigate the issue unless this is a public project. They can be found in <projectDir>/build/sonar/ucfg2. Feel free to share them here, or privately with me. If you want to share privately, let me know and I will open a private thread.

This used to take around 3 minutes but now our CI jobs timeout after an hour.

Thanks for sharing the information about your current system in advance. Can you also remember and tell us which version you were using before the analysis time increase?

Looking forward to more information!

Cheers
Felix

Hi @felix.pauck,

I have them ready to go!

ucfg2.zip (5.8 MB)

Hey @Donald_Renner,

thanks for sharing the UCFGs!

This morning, I attempted to reproduce the issue and reproduction was successful , i.e., I could observe the same seemingly “hanging” analysis. I will look deeper into it and keep you updated.

Regarding the

[DEBUG] Found 2 PASSTHROUGH specifications for method ‘java.util.HashMap#values()Ljava/util/Collection;’ while expecting a single one.

messages in the log, I already created a ticket to fix this.

Cheers
Felix

Hey @Donald_Renner,

we found what is causing the issue and created a ticket to fix it.
Thanks again for reporting the issue!

The analysis is indeed “hanging” as it takes the majority of time to analyze one statement. Until the fix is implemented and available, the only workaround I can offer is to exclude StartApplyFlowOperations from the analysis (e.g., by setting sonar.exclusions=**/StartApplyFlowOperations.*).

Cheers
Felix

Thanks @felix.pauck! That worked, please let me know when you have a fix.

Hey @Donald_Renner,

the fix has been implemented and will be made available with the next release.

Cheers
Felix