Since upgrading our on-prem SonarQube instance from 7.9LTS to 8.4.2 we have encountered an issue with significantly increased build times for one of our C# .NET 4.5.2 projects.
We are using the SonarScanner for MSBuild 4.10 and the project in question is 43K LOC.
Under 7.9 the total build time for the project was < 3m, but since updating to 8.4 the build time has increased to around 20m. By adding the /p:reportanalyzer=true option we can see that the bulk of the increase in build time is down to the SonarAnalyzer.Security analyzer (over 18m - see attached log) .
I have also tested the project using our test instance which is on SonarQube 8.5 and the build time remains the same.
Does this point to a genuine issue with the analyzer or is it potentially just a result of the changes from 7.9 to 8.x? Is there anything else we can do to help further diagnose the issue?
Hi @Sam_Anthonisz and thanks a lot for reporting this problem.
I see the core of the time happens in the UcfgGenerator
Time (s) % Analyzer
1089.486 70 SonarAnalyzer.Security, Version=8.5.0.4829, Culture=neutral, PublicKeyToken=null
1089.486 70 SonarAnalyzer.Security.CSharp.UcfgGenerator
The UCFG files are an abstraction of the source code (the Control Flow Graph) which we use to detect injection vulnerabilities. Normally, the generation of the UCFG files shouldn’t take that much to generate. We’ve seen it can take 10% to 30% of the total analysis time, but not 70%!
I’d be really interested to find out what’s special about your project, I will send you a private message to discuss further away from public eyes.
Public update: we found the bug in the UCFG generation. In case of very large classes, the UCFG generation was behaving particularly bad in terms of performance. We’ve fixed that.
The fix will be deployed on :sonarcloud: this week and released with SonarQube 8.6.