Slow scan due to security rules check

SonarQube Server / Community Build
,
1

Hi,
We have a really slow scan due to security rules check (“Reading UCFGs” take ten minutes) with sonarscanner with powershell

dotnet ########################\SonarScanner.MSBuild.dll end /d:sonar.login="$token"
... blablabla ....
21:10:08   INFO: Sensor CSharpSecuritySensor [security]
21:10:08   INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5334, S5883, S6096, S6173, S6287, S6350, S6399, S6639, S6641
21:10:08   INFO: Load type hierarchy and UCFGs: Starting
21:10:08   INFO: Load type hierarchy: Starting
21:10:08   INFO: Reading type hierarchy from: ########################\.sonarqube\out\ucfg2\cs
21:10:36   INFO: Read 7470 type definitions
21:10:36   INFO: Load type hierarchy: Time spent was 00:00:28.632
21:10:36   INFO: Load UCFGs: Starting
21:10:36   INFO: Reading UCFGs from: ########################\.sonarqube\out\ucfg2\cs
21:16:39   INFO: Load UCFGs: Time spent was 00:06:02.808
21:16:39   INFO: Load type hierarchy and UCFGs: Time spent was 00:06:31.441
21:16:39   INFO: Analyzing 23833 UCFGs to detect vulnerabilities.
... blablabla ....

Configuration :
sonar-scanner-5.0.1.3006
SonarScanner for MSBuild 6.2
Using the .NET Core version of the Scanner for MSBuild
Windows Server 2022 10.0 amd64

it seems a lot of people have at some point this issue (ex : https://community.sonarsource.com/t/very-slow-performance-analyzing-c-builds-how-can-i-diagnose-it/43271/7)

Would you mind tell us if there is something to be done about it ?
Do we have some kind of “Off” switch in the sonarscanner plugin to stop this analysis ? (and do it manually)

thanks for your help

2

Hey there.

What version of SonarQube are you using? This info should be found in the footer of your SonarQube instance.

3

Hi,
we use:

  • Developer Edition
  • Version 10.4.1 (build 88267)
5

Hello,

Many thanks for your message.

IO timings

Indeed, those reading time looks quite bad regarding nowdays disk performance.
Do you have an antivirus scan activated maybe? Those can slow down a lot IOs when dealing with such file amounts.
If yes, could you try to exclude the .sonarqube\out folder from live file scan analysis?
If not, maybe it could be worth ensuring the files are stored on SSD drive.

Off switch

If you really want to skip the security scan, you can create a profile with disabled “taint rules”
Rule keys are in this log line:

Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5334, S5883, S6096, S6173, S6287, S6350, S6399, S6639, S6641

You can then choose to switch the project profile back when running a manual analysis.

I hope this will help.

Please let us know if you manage to improve your build times.

Thanks,

Renaud