Sonar Scanner - resource allocation for UCFG simulation

During scanning of a large project, I’ve found that the scanner stops attempting
to simulate due to “too high simulation costs” (see logs below). This doesn’t
prevent the scan from completing, or analysis succeeding, but it does mean that
there are findings that are missed (confirmed via manual code review).

How is “too high” determined in this case? Can this “ceiling” be lifted/removed
entirely?

Thanks in advance,

Sam

08:01:08.015 INFO  Taint analysis for php: Starting
08:01:08.033 INFO  0 / 824 UCFGs simulated, memory usage: 606 MB
08:01:08.586 INFO  Too high simulation costs for sink in ****. This sink will not be analyzed any further.
08:01:08.586 INFO  Too high simulation costs for sink in ****. This sink will not be analyzed any further.
08:01:09.439 INFO  132 / 824 UCFGs simulated, memory usage: 1148 MB
08:01:11.552 INFO  192 / 824 UCFGs simulated, memory usage: 630 MB
08:01:11.981 INFO  261 / 824 UCFGs simulated, memory usage: 944 MB
08:01:13.045 INFO  325 / 824 UCFGs simulated, memory usage: 544 MB
08:01:14.200 INFO  Too high simulation costs for sink in ****. This sink will not be analyzed any further.
08:01:14.290 INFO  361 / 824 UCFGs simulated, memory usage: 606 MB
08:01:15.056 INFO  371 / 824 UCFGs simulated, memory usage: 684 MB
08:01:16.187 INFO  406 / 824 UCFGs simulated, memory usage: 508 MB
08:01:16.737 INFO  465 / 824 UCFGs simulated, memory usage: 1240 MB
08:01:17.400 INFO  504 / 824 UCFGs simulated, memory usage: 1170 MB
08:01:19.101 INFO  662 / 824 UCFGs simulated, memory usage: 1274 MB
08:01:20.805 INFO  805 / 824 UCFGs simulated, memory usage: 674 MB
08:01:20.888 INFO  818 / 824 UCFGs simulated, memory usage: 786 MB
08:01:20.888 INFO  Taint analysis for php: Time spent was 00:00:12.871

Scanner details:

07:59:41.800 INFO  Project root configuration file: NONE
07:59:41.811 INFO  SonarScanner CLI 6.1.0.4477
07:59:41.813 INFO  Java 17.0.11 Eclipse Adoptium (64-bit)
07:59:41.813 INFO  Linux 4.18.0-553.5.1.el8_10.x86_64 amd64
07:59:41.814 INFO  SONAR_SCANNER_OPTS=-Xmx6144m
07:59:41.820 DEBUG Scanner max available memory: 6 GB

Hey there.

It’s a bit of a leap to say that’s why certain findings may be missing. Can you provide an example?

In any case, here you can read more about what the message means, and why it’s not configurable: