Hi Renaud,
We have tried running from 2g to 8g it only get succeeded at 8g.
I am attaching the logs for the following.
WebCTRL_SR24_Integration_38.log (16.1 KB)
Regards,
Altaf
Hi Altaf,
thanks for the logs.
From what I see, there is no bug in sonar-security analyser:
Your project seems to be quite big (more than 100k Line Of Code ?)
Taint analysis itself is done in 5min with a peak memory usage of approx 8g.
Putting more memory will not help much here, you may want to try using 12g, but I guess you will not gain much time.
One of the “slow” timings is the one used to “load ucfgs files”; more than 10 minutes are spent on this task, and the usual timings for such a task, events for large projects, are counted in seconds.
My guess is that you have an anti-virus program with on-access analysis enabled, or maybe a slow I/O disk.
I can recommend to:
-
if relevant, add an exclusion on the on-scan analysis for the
./sonarfolder -
ensure that your working folder is on a SSD like disk, to fasten small file acces.
Regarding the rules, you can enable “S2076, S2078, S2091, S3649, S5135, S5145, S5334, S6096” back. It should have a low impact on performance and provide better security feedback.
On the other hand, if the situation is critical and you choose to disable all taint rules, you need to disable also “S2083, S2631, S5131, S5144, S5146, S5167” to have an impact and skip the java code taint analysis, but I recommend investigating the I/O issue first.
Regards,
Renaud