Sonar scanner has started to take too much time to run analysis

  • Versions used
    SonarQube Scanner 4.0.0.1744
  • Error observed
INFO: rule: S5334, entrypoints: 405
INFO: Running symbolic analysis
INFO: rule: S5334 done
INFO: rule: S2083, entrypoints: 405
INFO: Running symbolic analysis
INFO: rule: S2083 done
INFO: rule: S5147, entrypoints: 405
INFO: Running symbolic analysis
INFO: rule: S5147 done
INFO: rule: S5131, entrypoints: 405
INFO: Running symbolic analysis
INFO: rule: S5131 done
INFO: rule: S2631, entrypoints: 405
INFO: Running symbolic analysis
INFO: rule: S2631 done
INFO: rule: S3649, entrypoints: 405
INFO: Running symbolic analysis
INFO: rule: S3649 done
INFO: rule: S6096, entrypoints: 405
INFO: Running symbolic analysis
INFO: rule: S6096 done
INFO: Sensor JsSecuritySensor [security] (done) | time=1344010ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=8ms
INFO: CPD Executor 25 files had no CPD blocks
INFO: CPD Executor Calculating CPD for 379 files
INFO: CPD Executor CPD calculation finished (done) | time=162ms
INFO: Analysis report generated in 318ms, dir size=4 MB
INFO: Analysis report compressed in 1533ms, zip size=1 MB
INFO: Analysis report uploaded in 1383ms
INFO: ANALYSIS SUCCESSFUL, you can find the results at: https://sonarcloud.io/dashboard?id=XXXXXXX&branch=development
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at https://sonarcloud.io/api/ce/task?id=XXXXXX
INFO: Analysis total time: 23:32.269 s
  • Steps to reproduce : sonar scan

  • Potential workaround - NA

  • Scanner command used when applicable (private details masked): sonar-scanner -Dsonar.login=$SONAR_TOKEN

  • In case of SonarCloud:

    • ALM used (Bitbucket Cloud)
    • CI system used (Bitbucket Cloud)

It took 23m 40s to complete the sonar analysis which is too high as earlier it was around 1 minute
using SonarScanner | SonarQube Docs

Hi,

Is this a SonarQube or SonarCloud analysis? And if the former, what’s your version of SonarQube?

What language are we talking about? And approximately how big is your project?

 
Ann

This is the SonarCloud analysis, using the sonar-scanner command in the bitbucket pipelines

on using the sonar-scanner option , this gets printed in console
SonarQube Scanner 4.0.0.1744

+ sonar-scanner -Dsonar.login=$SONAR_TOKEN
[12:51:28] Starting SonarQube analysis...
[12:51:28] Checking if executable exists: /root/.sonar/native-sonar-scanner/sonar-scanner-4.0.0.1744-linux/bin/sonar-scanner
[12:51:28] Platform binaries for SonarQube scanner found. Using it.
INFO: Scanner configuration file: /root/.sonar/native-sonar-scanner/sonar-scanner-4.0.0.1744-linux/conf/sonar-scanner.properties
INFO: Project root configuration file: /opt/atlassian/pipelines/agent/build/sonar-project.properties
INFO: SonarQube Scanner 4.0.0.1744
INFO: Java 11.0.3 AdoptOpenJDK (64-bit)
INFO: Linux 5.4.92-flatcar amd64
INFO: Bitbucket Cloud Pipelines detected
INFO: User cache: /root/.sonar/cache
INFO: SonarQube server 8.8.0
INFO: Default locale: "en_US", source code encoding: "US-ASCII" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=569ms
INFO: Server id: 1BD809FA-AWHW8ct9-T_TB3XqouNu
INFO: User cache: /root/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=144ms
INFO: Load/download plugins (done) | time=3333ms
INFO: Loaded core extensions: developer-scanner
INFO: JavaScript/TypeScript frontend is enabled
INFO: Found an active CI vendor: 'Bitbucket Pipelines'

Lines of Code: 37k
language:JavaScript

Apparently it gets stuck for a while on

Running symbolic analysis

situation has got worse : build timelimit exceeded !!!

On further observation it is found that , it is the JS security sensor which has started to take forever

INFO: Running symbolic analysis
INFO: rule: S6096 done
INFO: Sensor JsSecuritySensor [security] (done) | time=1344010ms
INFO: ------------- Run sensors on project

We’re also affected by this. Scan now takes more than two hours (timeouts), where it only took 5-6min before.
After disabling following rules, the scan time is back to normal:

  • jssecurity:S6105
  • jssecurity:S5696
  • jssecurity:S5334
  • jssecurity:S2083
  • jssecurity:S5146
  • jssecurity:S5147
  • jssecurity:S5883
  • jssecurity:S2076
  • jssecurity:S5131
  • jssecurity:S2631
  • jssecurity:S5144
  • jssecurity:S3649
  • jssecurity:S6096

Looking at the console output, it is scanning 3006 entrypoints for each rule.

Some info about the scan, run by sonarsource/sonar-scanner-cli:latest:

    INFO: SonarScanner 4.6.1.2450
    INFO: Java 11.0.11 AdoptOpenJDK (64-bit)
    INFO: Linux 4.15.0-1044-aws amd64
    INFO: Analyzing on SonarQube server 8.8.0
1 Like

Hey everyone. Thank you for sharing this problem! From the logs that have been posted where the used SonarQube version is visible, it seems like you are using SonarQube 8.8.

We released SonarQube 8.9 (LTS) yesterday. Among many other things, this version fixes some performance problems with the security analyzer in version 8.8. Could you please upgrade and let us know if this fixes your problem?

1 Like

Hi @Malte_Skoruppa , Can you please guide how to upgrade this , since we are running this on sonarcloud ( sonarscanner pipe) the sonarQube version is not available to change as much I know. I am not aware of such option Please let me know if possible

Hi @krreet , if you are running on SonarCloud, you should have been upgraded to 8.9 already. :slight_smile: Are you still experiencing the same performance problems? If so, can you please post the complete log that is output to the console when you use sonar-scanner?

Hi @Malte_Skoruppa ,
Yes we are experiencing the same issue while using

  1. sonar-scanner cli for sonarcloud in bitbucket pipelines
    OR
  2. pipe: sonarsource/sonarcloud-scan:1.2.1

here is the complete log by using the pipe: sonarsource/sonarcloud-scan:1.2.1
FYI disabling few rules related to js security sensor( which get stuck on Running symbolic analysis) worked and sonar scan completes in 2 minutes

+ docker container run \
   --volume=/opt/atlassian/pipelines/agent/build:/opt/atlassian/pipelines/agent/build \
   --volume=/opt/atlassian/pipelines/agent/ssh:/opt/atlassian/pipelines/agent/ssh:ro \
   --volume=/usr/local/bin/docker:/usr/local/bin/docker:ro \
   --volume=/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes:/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes \
   --volume=/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/sonarsource/sonarcloud-scan:/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/sonarsource/sonarcloud-scan \
   --workdir=$(pwd) \
   --label=org.bitbucket.pipelines.system=true \
   --env=BITBUCKET_STEP_TRIGGERER_UUID="$BITBUCKET_STEP_TRIGGERER_UUID" \
   --env=BITBUCKET_REPO_FULL_NAME="$BITBUCKET_REPO_FULL_NAME" \
   --env=BITBUCKET_GIT_HTTP_ORIGIN="$BITBUCKET_GIT_HTTP_ORIGIN" \
   --env=BITBUCKET_PROJECT_UUID="$BITBUCKET_PROJECT_UUID" \
   --env=BITBUCKET_REPO_IS_PRIVATE="$BITBUCKET_REPO_IS_PRIVATE" \
   --env=BITBUCKET_WORKSPACE="$BITBUCKET_WORKSPACE" \
   --env=BITBUCKET_DEPLOYMENT_ENVIRONMENT_UUID="$BITBUCKET_DEPLOYMENT_ENVIRONMENT_UUID" \
   --env=BITBUCKET_REPO_OWNER_UUID="$BITBUCKET_REPO_OWNER_UUID" \
   --env=BITBUCKET_BRANCH="$BITBUCKET_BRANCH" \
   --env=BITBUCKET_REPO_UUID="$BITBUCKET_REPO_UUID" \
   --env=BITBUCKET_PROJECT_KEY="$BITBUCKET_PROJECT_KEY" \
   --env=BITBUCKET_DEPLOYMENT_ENVIRONMENT="$BITBUCKET_DEPLOYMENT_ENVIRONMENT" \
   --env=BITBUCKET_REPO_SLUG="$BITBUCKET_REPO_SLUG" \
   --env=CI="$CI" \
   --env=BITBUCKET_REPO_OWNER="$BITBUCKET_REPO_OWNER" \
   --env=BITBUCKET_STEP_RUN_NUMBER="$BITBUCKET_STEP_RUN_NUMBER" \
   --env=BITBUCKET_BUILD_NUMBER="$BITBUCKET_BUILD_NUMBER" \
   --env=BITBUCKET_GIT_SSH_ORIGIN="$BITBUCKET_GIT_SSH_ORIGIN" \
   --env=BITBUCKET_PIPELINE_UUID="$BITBUCKET_PIPELINE_UUID" \
   --env=BITBUCKET_COMMIT="$BITBUCKET_COMMIT" \
   --env=BITBUCKET_CLONE_DIR="$BITBUCKET_CLONE_DIR" \
   --env=PIPELINES_JWT_TOKEN="$PIPELINES_JWT_TOKEN" \
   --env=BITBUCKET_STEP_UUID="$BITBUCKET_STEP_UUID" \
   --env=BITBUCKET_DOCKER_HOST_INTERNAL="$BITBUCKET_DOCKER_HOST_INTERNAL" \
   --env=DOCKER_HOST="tcp://host.docker.internal:2375" \
   --env=BITBUCKET_PIPE_SHARED_STORAGE_DIR="/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes" \
   --env=BITBUCKET_PIPE_STORAGE_DIR="/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/sonarsource/sonarcloud-scan" \
   --env=EXTRA_ARGS="-Dsonar.projectKey=fp-finance-service -Dsonar.organization=ehgdev -Dsonar.host.url=https://sonarcloud.io -Dsonar.qualitygate=ehg-dev-nodejs-qg -Dsonar.sources=./src -Dsonar.tests=./src -Dsonar.organization=ehgdev -Dsonar.test.inclusions=\"**/*.test.js\" -Dsonar.exclusions=\"**/*.sql , **/test/** , **/constants/** , **/tests/** , **/__test__/**  , **/__tests__/** , **/*.constants.js, **/*.config.js\" -Dsonar.typescript.lcov.reportPaths=coverage/lcov.info" \
   --env=SONAR_TOKEN="$SONAR_TOKEN" \
   --add-host="host.docker.internal:$BITBUCKET_DOCKER_HOST_INTERNAL" \
   sonarsource/sonarcloud-scan:1.2.1
tee: /opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/sonarsource/sonarcloud-scan/sonarcloud-scan.log: Permission denied
INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: /opt/atlassian/pipelines/agent/build/sonar-project.properties
INFO: SonarScanner 4.4.0.2170
INFO: Java 11.0.2 Oracle Corporation (64-bit)
INFO: Linux 5.10.25-flatcar amd64
INFO: Bitbucket Cloud Pipelines detected
INFO: User cache: /root/.sonar/cache
INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: /opt/atlassian/pipelines/agent/build/sonar-project.properties
INFO: Analyzing on SonarCloud
INFO: Default locale: "en", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=583ms
INFO: Server id: 1BD809FA-AWHW8ct9-T_TB3XqouNu
INFO: User cache: /root/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=135ms
INFO: Load/download plugins (done) | time=29541ms
INFO: Loaded core extensions: developer-scanner
INFO: JavaScript/TypeScript frontend is enabled
INFO: Found an active CI vendor: 'Bitbucket Pipelines'
INFO: Detected project key 'ehgprojecthorizon_fp-finance-service' from 'Bitbucket Cloud Pipelines'
INFO: Detected organization key 'ehgdev' from 'Bitbucket Cloud Pipelines'
INFO: Load project settings for component key: 'ehgprojecthorizon_fp-finance-service'
INFO: Load project settings for component key: 'ehgprojecthorizon_fp-finance-service' (done) | time=114ms
INFO: Process project properties
INFO: Execute project builders
INFO: Execute project builders (done) | time=2ms
INFO: Project key: ehgprojecthorizon_fp-finance-service
INFO: Base dir: /opt/atlassian/pipelines/agent/build
INFO: Working dir: /opt/atlassian/pipelines/agent/build/.scannerwork
INFO: Load project branches
INFO: Load project branches (done) | time=117ms
INFO: Check ALM binding of project 'ehgprojecthorizon_fp-finance-service'
INFO: Detected project binding: BOUND
INFO: Check ALM binding of project 'ehgprojecthorizon_fp-finance-service' (done) | time=97ms
INFO: Load project pull requests
INFO: Load project pull requests (done) | time=157ms
INFO: Load branch configuration
INFO: Detected analysis for branch 'development'
INFO: Auto-configuring branch development
INFO: Load branch configuration (done) | time=4ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=155ms
INFO: Load active rules
INFO: Load active rules (done) | time=3199ms
INFO: Organization key: ehgdev
INFO: Branch name: development, type: long-lived
INFO: Indexing files...
INFO: Project configuration:
INFO:   Excluded sources: **/*.sql, **/test/**, **/constants/**, **/tests/**, **/__test__/**, **/__tests__/**, **/*.constants.js, **/*.config.js, **/*.test.js
INFO:   Included tests: **/*.test.js
INFO:   Excluded sources for coverage: **/runSwaggerGenerator.js
INFO: Load project repositories
INFO: Load project repositories (done) | time=129ms
INFO: 328 files indexed
INFO: 1124 files ignored because of inclusion/exclusion patterns
INFO: 0 files ignored because of scm ignore settings
INFO: Quality profile for js: Sonar way
INFO: ------------- Run sensors on module ehgprojecthorizon_fp-finance-service
INFO: JavaScript/TypeScript frontend is enabled
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=108ms
INFO: Sensor CSS Rules [cssfamily]
INFO: No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
INFO: Sensor CSS Rules [cssfamily] (done) | time=5ms
INFO: Sensor C# Project Type Information [csharp]
INFO: Sensor C# Project Type Information [csharp] (done) | time=2ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=1ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=3ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=7ms
INFO: Sensor VB.NET Project Type Information [vbnet]
INFO: Sensor VB.NET Project Type Information [vbnet] (done) | time=1ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=2ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=12ms
INFO: Sensor JavaScript analysis [javascript]
INFO: Deploying custom rules bundle jar:file:/root/.sonar/cache/1c0d0d6d358b2ff25a27998c60079e2e/sonar-securityjsfrontend-plugin.jar!/js-vulnerabilities-rules-1.0.0.tgz to /opt/atlassian/pipelines/agent/build/.scannerwork/.sonartmp/eslint-bridge-bundle/package/custom-rules12656975797022051287
INFO: 228 source files to be analyzed
INFO: 0/228 files analyzed, current file: src/components/debtorAccountComment/debtorAccountCommentController.js
INFO: 74/228 files analyzed, current file: src/components/generalLedgerPosting/generalLedgerPostingController.js
INFO: 140/228 files analyzed, current file: src/components/debtorAccount/debtorAccountController.js
INFO: 202/228 files analyzed, current file: src/shared/testHelper.js
INFO: 228/228 source files have been analyzed
INFO: Sensor JavaScript analysis [javascript] (done) | time=47075ms
INFO: Sensor TypeScript analysis [javascript]
INFO: Found 0 tsconfig.json file(s): []
ERROR: The 'files' list in config file 'tsconfig.json' is empty.
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor TypeScript analysis [javascript] (done) | time=544ms
INFO: Sensor JavaScript/TypeScript Coverage [javascript]
WARN: The use of sonar.typescript.lcov.reportPaths for coverage import is deprecated, use sonar.javascript.lcov.reportPaths instead.
INFO: Analysing [/opt/atlassian/pipelines/agent/build/coverage/lcov.info]
WARN: Could not resolve 5 file paths in [/opt/atlassian/pipelines/agent/build/coverage/lcov.info]
WARN: First unresolved path: /opt/atlassian/pipelines/agent/build/app.js (Run in DEBUG mode to get full list of unresolved paths)
INFO: Sensor JavaScript/TypeScript Coverage [javascript] (done) | time=89ms
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend]
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=2ms
INFO: Sensor JavaSecuritySensor [security]
INFO: Reading type hierarchy from: /opt/atlassian/pipelines/agent/build/.scannerwork/ucfg2/java
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /opt/atlassian/pipelines/agent/build/.scannerwork/ucfg2/java
INFO: No UCFGs have been included for analysis.
INFO: Sensor JavaSecuritySensor [security] (done) | time=3ms
INFO: Sensor CSharpSecuritySensor [security]
INFO: Reading type hierarchy from: /opt/atlassian/pipelines/agent/build/ucfg_cs2
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /opt/atlassian/pipelines/agent/build/ucfg_cs2
INFO: No UCFGs have been included for analysis.
INFO: Sensor CSharpSecuritySensor [security] (done) | time=0ms
INFO: Sensor PhpSecuritySensor [security]
INFO: Reading type hierarchy from: /opt/atlassian/pipelines/agent/build/.scannerwork/ucfg2/php
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /opt/atlassian/pipelines/agent/build/.scannerwork/ucfg2/php
INFO: No UCFGs have been included for analysis.
INFO: Sensor PhpSecuritySensor [security] (done) | time=1ms
INFO: Sensor PythonSecuritySensor [security]
INFO: Reading type hierarchy from: /opt/atlassian/pipelines/agent/build/.scannerwork/ucfg2/python
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /opt/atlassian/pipelines/agent/build/.scannerwork/ucfg2/python
INFO: No UCFGs have been included for analysis.
INFO: Sensor PythonSecuritySensor [security] (done) | time=0ms
INFO: Sensor JsSecuritySensor [security]
INFO: Reading type hierarchy from: /opt/atlassian/pipelines/agent/build/.scannerwork/ucfg2/js
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /opt/atlassian/pipelines/agent/build/.scannerwork/ucfg2/js
INFO: 11:48:18.884827 Building Runtime Type propagation graph
INFO: 11:48:19.048954 Running Tarjan on 18510 nodes
INFO: 11:48:19.091889 Tarjan found 18509 components
INFO: 11:48:19.156922 Variable type analysis: done
INFO: 11:48:19.159079 Building Runtime Type propagation graph
INFO: 11:48:19.337118 Running Tarjan on 18510 nodes
INFO: 11:48:19.360672 Tarjan found 18509 components
INFO: 11:48:19.406351 Variable type analysis: done
INFO: Analyzing 1490 ucfgs to detect vulnerabilities.
INFO: rule: S5883, entrypoints: 229
INFO: Running symbolic analysis
INFO: rule: S5883 done
INFO: rule: S5131, entrypoints: 229
INFO: Running symbolic analysis
INFO: rule: S5131 done
INFO: rule: S5696, entrypoints: 229
INFO: Running symbolic analysis
INFO: rule: S5696 done
INFO: rule: S5144, entrypoints: 229
INFO: Running symbolic analysis
INFO: rule: S5144 done
INFO: rule: S3649, entrypoints: 229
INFO: Running symbolic analysis
INFO: rule: S3649 done
INFO: rule: S5147, entrypoints: 229
INFO: Running symbolic analysis
INFO: rule: S5147 done
INFO: rule: S6105, entrypoints: 229
INFO: Running symbolic analysis
INFO: rule: S6105 done
INFO: rule: S6096, entrypoints: 229
INFO: Running symbolic analysis
INFO: rule: S6096 done
INFO: rule: S2631, entrypoints: 229
INFO: Running symbolic analysis
INFO: rule: S2631 done
INFO: rule: S5146, entrypoints: 229
INFO: Running symbolic analysis
INFO: rule: S5146 done
INFO: rule: S2076, entrypoints: 229
INFO: Running symbolic analysis
INFO: rule: S2076 done
INFO: rule: S5334, entrypoints: 229
INFO: Running symbolic analysis
INFO: rule: S5334 done
INFO: rule: S2083, entrypoints: 229
INFO: Running symbolic analysis
INFO: rule: S2083 done
INFO: Sensor JsSecuritySensor [security] (done) | time=1734229ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=7ms
INFO: CPD Executor 6 files had no CPD blocks
INFO: CPD Executor Calculating CPD for 222 files
INFO: CPD Executor CPD calculation finished (done) | time=152ms
INFO: Analysis report generated in 302ms, dir size=2 MB
INFO: Analysis report compressed in 1131ms, zip size=1 MB
INFO: Analysis report uploaded in 1253ms
INFO: ANALYSIS SUCCESSFUL, you can find the results at: https://sonarcloud.io/dashboard?id=ehgprojecthorizon_fp-finance-service&branch=development
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at https://sonarcloud.io/api/ce/task?id=AXk8dfiW56Z3Il3BUevy
INFO: Analysis total time: 29:59.921 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 30:34.000s
INFO: Final Memory: 88M/314M
INFO: ------------------------------------------------------------------------
e[32m✔ SonarCloud analysis was successful.e[0m

running symbiolic analysis is DEBUG mode

Hi @krreet, looking at the logs, I see the JsSecuritySensor took 1734 seconds for the 13 JS security-related rules (S5883, S5131, S5696, S5144, S3649, S5147, S6105, S6096, S2631, S5146, S2076, S5334, S2083). You can assume that the analysis for each of these rules takes roughly the same time, so that’s about 1734/13 = 133 seconds per rule. A good 2 minutes per rule is quite normal when you have 1500 UCFGs to analyze: Note that the analysis for these rules is a very deep and complex one, as opposed to all other (much simpler) rules, as these rules perform an interprocedural taint analysis. That is, these rules attempt to find out whether there is some point in the program where an attacker could inject input that flows through many functions in your program and eventually ends up affecting a security-sensitive function (without being appropriately sanitized), such as a database query for example.

Taint analysis in the JsSecuritySensor is a fairly new feature, so until very recently, with earlier versions of SonarQube you would not have experienced this problem simply because that analysis was not performed at all. :wink: (or only a very shallow analysis)

If this analysis time is too long for you, you may of course disable the rules: Judging from your logs, you can expect to save roughly 2 minutes per disabled rule, or about 26 minutes if you disable all 13 of them. Indeed, they may not all be interesting for you: For instance, if your application does not use LDAP at all, there is no reason to activate S2078 (LDAP Injection). Or if you do not use XPath, there is no reason to activate S2091 (XPath Injection). If you do not use SQL queries, you do not need S3649 (SQL Injection), or if you do not use NoSQL databases in your program, you do not need S5147 (NoSQL Injection). If your application is a server-side application, you do not need S5696 or S6105 (DOM XSS and DOM Redirect), and if it is a client-side one you do not need S5131 or S5146 (Reflected XSS and Open Redirect), and so on. Unfortunately, SonarQube does not know whether your program uses LDAP / XPath / SQL or NoSQL databases etc. before performing the actual analysis, but you can easily optimize the performance yourself by enabling only those taint analysis rules which may be interesting in the context of your application (if any).

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.