Sonar task hangs at rule S3649

scanner
sonarsecurity

(David Kossatz) #1

Hello,

We are running SonarQube 7.4 Developer Edition with the Sonar for Bamboo plugin (v2.1.2) and the Sonar Maven 3 tasks is hanging up our build on Bamboo. Excerpt from log:

build	04-Jan-2019 18:40:39	[INFO] Sensor JavaSecuritySensor [security]
build	04-Jan-2019 18:40:39	[INFO] Reading UCFGs from: /webcontent/bamboo/xml-data/build-dir/AF-AFF5-JOB1/target/sonar/ucfg2/java
build	04-Jan-2019 18:43:23	[INFO] UCFGs: 175888, excluded: 172868, source entrypoints: 3020
build	04-Jan-2019 18:43:23	[INFO] Analyzing 175756 ucfgs to detect vulnerabilities.
build	04-Jan-2019 18:43:29	[INFO] rule: S3649, entrypoints: 10
build	04-Jan-2019 18:47:55	[WARNING] [JOURNAL_FLUSHER] WARNING Journal flush operation took 3,507ms last 8 cycles average is 438ms
build	04-Jan-2019 18:50:04	[WARNING] [JOURNAL_FLUSHER] WARNING Journal flush operation took 3,630ms last 8 cycles average is 453ms
....
build   04-Jan-2019 18:51:50    [ERROR] GC overhead limit exceeded -> [Help 1]

I’ve tried increasing the memory argument (via SONAR_SCANNER_OPTS="-Xmx4G") but that only added more JOURNAL_FLUSHER log entries. I had to stop the build after an hour or two of it running.

I saw the post Suddenly analysis takes a long time to finish which is very similar but ended looking like a SonarCloud fix?

I disabled rules S3649, S2076, S2091, S2078 and S2631 which avoid the problem:

build	08-Jan-2019 11:40:02	[INFO] Sensor JavaSecuritySensor [security]
build	08-Jan-2019 11:40:02	[INFO] Reading UCFGs from: /bamboo/xml-data/build-dir/AA-AAA5-JOB1/target/sonar/ucfg2/java
build	08-Jan-2019 11:42:29	[INFO] UCFGs: 175888, excluded: 172868, source entrypoints: 3020
build	08-Jan-2019 11:42:29	[INFO] Analyzing 175756 ucfgs to detect vulnerabilities.
build	08-Jan-2019 11:42:34	[INFO] rule: S2083, entrypoints: 17
build	08-Jan-2019 11:42:45	[INFO] rule: S2083 done
build	08-Jan-2019 11:42:45	[INFO] Sensor JavaSecuritySensor [security] (done) | time=162874ms

It would be preferable to enable this rule to allow checking of SQL injection. The project is private so I’m not able to share the ucfg2/java contents.

Any ideas on why it’s hanging up?


(Nicolas Peru) #2

Your analysis get stuck on sonarsecurity rule which is doing a taint analysis.

This kind of analysis explores a large domain and can consume a lot of memory. Given the number of UCFGs and entrypoints we can spot in the log, it is not totally suprising that the analysis chokes on your project.

You figured out the two possible workarounds (increasing memory and deactivating the rules).
We did a lot of improvement on memory and CPU consumption in the upcoming 7.6 version of sonarsecurity which should be released by the end of the month.
So while waiting for an upgrade the best course of action is to let the rule deactivated.

We would be really interested by the ucfgs in order to investigate performances. Note that the ucfg2/java files do not contain much more than method calls.