Sonar-scanner CLI takes huge time to import SARIF reports

Importing external issues from sarif reports via sonar-scanner cli is taking close to 4 hours and doesn’t seem reasonable. Below are the details and logs. Could somebody throw light on this?

  • SONAR SCANNER CLI VERSION: 4.8.0.2856
  • how is SonarQube deployed: zip
  • Trying to import SARIF reports with sonar-scanner
  • Configured sonar.sarifReportPaths = [list of comma separated sarif reports already prepared]

Note: All the below logs with name report_sonar.sarif are from different folders and folder names are removed to shorten the log text.
Logs:

INFO: Sensor Import external issues report from SARIF file.
report_sonar.sarif: successfully imported 745 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 142 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 1784 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 783 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 989 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 10684 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 87 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 902 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 555 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 255 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 90 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 46 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 65 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 4967 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 4226 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 966 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 2875 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 646 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 73 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 695 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 542 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 3645 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 161 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 661 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 14 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 722 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 2171 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 4182 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 192 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 1815 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 403 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 14896 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 935 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 62 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 1796 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 71 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 28 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 11 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 83 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 134 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 4286 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 603 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 1022 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 80 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 17789 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 658 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 3150 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 269 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 170 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 1183 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 128 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 117 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 512 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 3141 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 2728 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 1180 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 1572 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 1486 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 210 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 384 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 2251 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 7155 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 46589 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 2518 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 720 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 414 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 70 vulnerabilities spread in 1 runs. 0 failed run(s).
report_sonar.sarif: successfully imported 161 vulnerabilities spread in 1 runs. 0 failed run(s).
INFO: Sensor Import external issues report from SARIF file. (done) | time=14408132ms

Hi,

By my math, importing the SARIF reports took four hours. Yes, that’s a long time. But also by my math, in that period analysis processed 68 reports with a total of 164,645 issues.

And in that context, 4h doesn’t seem long at all.

Would you mind sharing your use case for this massive, massive import?

 
Thx,
Ann

Yes, the use case here is that I want to import the sarif reports that were analyzed and prepared by external tool. Also what analysis is being run on sarif? Isn’t it supposed to just import these as they come from external tool?

Hi,

No analysis is being run on the SARIF reports. They’re simply being imported. And analysis duration is always dependent on the size and complexity of your project.

Would you mind sharing the size of your project in terms of files or lines of code? Also, why are there so many different reports for a single project?

 
Ann

It’s a monorepo consisting of multiple interdependent projects clubbed into one. Each project in monorepo has it’s own sarif report.

Approx LOC of monorepo is 382k

Hi,

Thanks for sharing your project size.

Best practice would have you analyze each project in the monorepo independently, and this import those SARIF reports one (or a few) at a time.

 
Ann