Hi @krreet, looking at the logs, I see the JsSecuritySensor took 1734 seconds for the 13 JS security-related rules (S5883, S5131, S5696, S5144, S3649, S5147, S6105, S6096, S2631, S5146, S2076, S5334, S2083). You can assume that the analysis for each of these rules takes roughly the same time, so that’s about 1734/13 = 133 seconds per rule. A good 2 minutes per rule is quite normal when you have 1500 UCFGs to analyze: Note that the analysis for these rules is a very deep and complex one, as opposed to all other (much simpler) rules, as these rules perform an interprocedural taint analysis. That is, these rules attempt to find out whether there is some point in the program where an attacker could inject input that flows through many functions in your program and eventually ends up affecting a security-sensitive function (without being appropriately sanitized), such as a database query for example.
Taint analysis in the JsSecuritySensor is a fairly new feature, so until very recently, with earlier versions of SonarQube you would not have experienced this problem simply because that analysis was not performed at all. 
(or only a very shallow analysis)
If this analysis time is too long for you, you may of course disable the rules: Judging from your logs, you can expect to save roughly 2 minutes per disabled rule, or about 26 minutes if you disable all 13 of them. Indeed, they may not all be interesting for you: For instance, if your application does not use LDAP at all, there is no reason to activate S2078 (LDAP Injection). Or if you do not use XPath, there is no reason to activate S2091 (XPath Injection). If you do not use SQL queries, you do not need S3649 (SQL Injection), or if you do not use NoSQL databases in your program, you do not need S5147 (NoSQL Injection). If your application is a server-side application, you do not need S5696 or S6105 (DOM XSS and DOM Redirect), and if it is a client-side one you do not need S5131 or S5146 (Reflected XSS and Open Redirect), and so on. Unfortunately, SonarQube does not know whether your program uses LDAP / XPath / SQL or NoSQL databases etc. before performing the actual analysis, but you can easily optimize the performance yourself by enabling only those taint analysis rules which may be interesting in the context of your application (if any).