We have a Kotlin codebase that is having trouble with our scans. The UCFGs simulated step appears to hang. This used to take around 3 minutes but now our CI jobs timeout after an hour. I did run the scan locally on my Mac and it took 29 minutes for the Kotlin taint analysis to finish. I’ve tried running with mvn -X and other log settings but there is nothing obvious in the output.
System Information
Sonarqube Server - v2026.1
Sonarqube Maven Plugin - 5.0.0.4389
Kotlin
Portion of output before the problem.
[INFO] Retained UCFGs : 5689
[DEBUG] Slice call graph: Time spent was 00:00:00.046
[DEBUG] Live variable analysis: Starting
[DEBUG] Live variable analysis: Time spent was 00:00:00.065
[DEBUG] Taint analysis for kotlin: Starting
[INFO] 0 / 5689 UCFGs simulated, memory usage: 1810 MB
Scanner Hangs here
The issue Donald Renner is describing is a known performance bottleneck in the SonarQube Taint Analysis engine when processing large Kotlin projects. The “Simulating UCFGs” (Universal Control Flow Graphs) step is the most computationally expensive part of a security scan because it maps every possible data path to find vulnerabilities like SQL injection.
As @ganncamp already said, we will need the UCFGs to be able to investigate the issue unless this is a public project. They can be found in <projectDir>/build/sonar/ucfg2. Feel free to share them here, or privately with me. If you want to share privately, let me know and I will open a private thread.
This used to take around 3 minutes but now our CI jobs timeout after an hour.
Thanks for sharing the information about your current system in advance. Can you also remember and tell us which version you were using before the analysis time increase?
.