SonarCloud JsSecuritySensor is very slow since 18 July 2023

johnyborek · September 6, 2023, 12:00pm

ALM used: Azure DevOps
CI system used: Azure DevOps
Languages of the repository: Typescript

Hello,
The execution time of SonarCloud analysis increased from around 4-5 minutes to around 23-24 minutes for my project.
It was working ok on 17 July, we started getting these slow runs from 18 July.

The main problem is that it takes almost 20 minutes for JsSecuritySensor to do the scan. Before it was about 15-20 seconds to finish.
What is interesting, that the number of elements on which the analysis is performed seems to be doubled between those two runs, although there were almost no changes to our codebase on that day.

Here’s the log for the run from 17 July:

2023-07-17T09:43:30.9897329Z INFO: 11:43:30.987107089 Building Runtime Type propagation graph
2023-07-17T09:43:32.0740209Z INFO: 11:43:32.072092494 Running Tarjan on 69967 nodes
2023-07-17T09:43:32.2577388Z INFO: 11:43:32.256604708 Tarjan found 69949 components
2023-07-17T09:43:32.6474250Z INFO: 11:43:32.645865303 Variable type analysis: done
2023-07-17T09:43:32.6511699Z INFO: 11:43:32.650591542 Building Runtime Type propagation graph
2023-07-17T09:43:33.8979256Z INFO: 11:43:33.896959271 Running Tarjan on 69967 nodes
2023-07-17T09:43:33.9761808Z INFO: 11:43:33.975081912 Tarjan found 69949 components
2023-07-17T09:43:34.2071080Z INFO: 11:43:34.206188109 Variable type analysis: done
2023-07-17T09:43:34.2176067Z INFO: Analyzing 8852 ucfgs to detect vulnerabilities.
2023-07-17T09:43:40.5641067Z INFO: Taint analysis starting. Entrypoints: 1651

And from 18 July:

2023-07-18T11:35:31.1903694Z INFO: 13:35:31.188292576 Building Runtime Type propagation graph
2023-07-18T11:35:34.2476289Z INFO: 13:35:34.245361725 Running Tarjan on 152280 nodes
2023-07-18T11:35:34.5879947Z INFO: 13:35:34.586999605 Tarjan found 152262 components
2023-07-18T11:35:35.3503676Z INFO: 13:35:35.349561216 Variable type analysis: done
2023-07-18T11:35:35.3532967Z INFO: 13:35:35.352662865 Building Runtime Type propagation graph
2023-07-18T11:35:36.7502486Z INFO: 13:35:36.749438164 Running Tarjan on 152280 nodes
2023-07-18T11:35:36.8682743Z INFO: 13:35:36.867443923 Tarjan found 152262 components
2023-07-18T11:35:37.3859547Z INFO: 13:35:37.385221878 Variable type analysis: done
2023-07-18T11:35:38.1273466Z INFO: Analyzing 8870 ucfgs to detect vulnerabilities.
2023-07-18T11:35:52.2078957Z INFO: Taint analysis starting. Entrypoints: 1668

There’s also an increase in the JavaScript/TypeScript Sensor runtime. On 17 July it was taking around 180 - 190 seconds, and on 18 July it started taking around 240-250 seconds. So the problem is not as serious as for JsSecuritySensor, which takes almost 20 minutes now. But still, when you compare 180s to 240s, it’s a 33% increase in the JavaScript/TypeScript Sensor execution time, which is quite a lot.

Did anything change on SonarCloud side on that day?

Best regards,
Rafal Borek

nicolas.gauthier · September 14, 2023, 3:24pm

Hello, and thank you for reporting this in a dedicated thread.

I created an internal ticket to investigate this similar issue.

Is the project you are analyzing open source? So that we can reproduce the issue on our side directly from the source code.
If not, would you be willing to share the content of the ucfg2/js folder with us privately? That would also help us by allowing us to reproduce the security analysis part on our end.

In the meantime, if the speed of analysis is critical for your pipeline, you can deactivate injection rules (I would recommend still executing a complete analysis regularly to keep high security). Hotspots and other vulnerability rules can be kept as they don’t rely on the JsSecuritySensor. You can find all the vulnerability injection rules for Javascript (and Typescript) here: JavaScript static code analysis | injection .

Best,
Nicolas

johnyborek · September 20, 2023, 4:17pm

Hi,
It’s not an open source project. I was just struggling to get the ucfg2/js files, because I don’t have access to the machine with this folder. In the meantime JsSecuritySensor started working fine, the performance is more or less the same as before 18 July. There was no change on our side, so maybe you fixed the problem already. Now it’s working fine for us.

Best regards,
Rafal Borek

nicolas.gauthier · September 21, 2023, 12:42pm

Hi, I’m really happy to read that. We indeed implemented some improvements recently, it’s really nice to see it solved your issue.
Thanks for your messages!

Best,
Nicolas