Sonarcloud maven scan consumes all memory and dies after reaching rule S3649

Can’t finish code analysis of maven java project with SonarCloud running in bitbucket pipelines. Sonar comes to rule S3649, consumes all available memory (already running 2x with 6GB maven xmx), then dies.

Below are relevant configs and logs.

Please help.

image: maven:3.5.4-jdk-8

    - step:
        size: 2x
          - sl-maven-repo-cache
          - m2-cache
          - sonarcloud
        script: # Modify the commands below to build your repository.         
          - mvn -e -B -f "${workspaceDir}/webapp_core/pom.xml" -Dmaven_repo_base="$workspaceDir" verify -DskipTests -Pmaster
          - pushd "${workspaceDir}/webapp_core"
          - export MAVEN_OPTS="-Xmx6080m"
          - mvn sonar:sonar -Dsonar.projectKey=<removed> -Dsonar.organization=<removed> -Dsonar.login=$SONAR_TOKEN
          - popd

    sl-maven-repo-cache: maven_repo
    m2-cache: ~/.m2/repository
    sonarcloud: ~/.sonar/cache
      image: maven:3.5.4
      memory: 7128
Pipeline console
[INFO] 23/23 source files have been analyzed
[INFO] Sensor PL/SQL Sensor [plsql] (done) | time=1104ms
[INFO] Sensor SurefireSensor [java]
[INFO] parsing [/opt/atlassian/pipelines/agent/build/webapp_core/target/surefire-reports]
[INFO] Sensor SurefireSensor [java] (done) | time=3ms
[INFO] Sensor JaCoCoSensor [java]
[WARNING] Property 'sonar.jacoco.reportPath' is deprecated. Please use 'sonar.jacoco.reportPaths' instead.
[INFO] JaCoCo UT report not found: '/opt/atlassian/pipelines/agent/build/webapp_core/target/jacoco-ut.exec'
[WARNING] Property 'sonar.jacoco.itReportPath' is deprecated. Please use 'sonar.jacoco.reportPaths' instead.
[INFO] JaCoCo IT report not found: '/opt/atlassian/pipelines/agent/build/webapp_core/target/jacoco-it.exec'
[INFO] Sensor JaCoCoSensor [java] (done) | time=6ms
[INFO] Sensor SonarJavaXmlFileSensor [java]
[INFO] 8 source files to be analyzed
[INFO] 8/8 source files have been analyzed
[INFO] Sensor SonarJavaXmlFileSensor [java] (done) | time=222ms
[INFO] Sensor HTML [web]
[INFO] Sensor HTML [web] (done) | time=21ms
[INFO] Sensor XML Sensor [xml]
[WARNING] Metric 'comment_lines_data' is deprecated. Provided value is ignored.
[INFO] Sensor XML Sensor [xml] (done) | time=370ms
[INFO] Sensor JaCoCo XML Report Importer [jacoco]
[INFO] Sensor JaCoCo XML Report Importer [jacoco] (done) | time=10ms
[INFO] Sensor Zero Coverage Sensor
[INFO] Sensor Zero Coverage Sensor (done) | time=736ms
[INFO] Sensor JavaSecuritySensor [security]
[INFO] Reading UCFGs from: /opt/atlassian/pipelines/agent/build/webapp_core/target/sonar/ucfg2/java
[INFO] UCFGs: 26324, excluded: 25859, source entrypoints: 465
[INFO] Analyzing 26324 ucfgs to detect vulnerabilities.
[INFO] rule: S3649, entrypoints: 275
[WARNING] [JOURNAL_FLUSHER] WARNING Journal flush operation took 15,436ms last 8 cycles average is 1,929ms
[WARNING] [JOURNAL_FLUSHER] WARNING Journal flush operation took 40,258ms last 8 cycles average is 5,032ms
Exception in thread "LOG_FLUSHER" java.lang.OutOfMemoryError: Java heap space
	at java.util.ArrayList.iterator(
	at java.util.Collections$SynchronizedCollection.iterator(
	at com.persistit.Persistit.pollAlertMonitors(
	at com.persistit.Persistit$
Exception in thread "CLEANUP_MANAGER" java.lang.OutOfMemoryError: Java heap space
	at java.util.HashMap$Values.iterator(
	at com.persistit.JournalManager.pruneObsoleteTransactions(
	at com.persistit.JournalManager.pruneObsoleteTransactions(
	at com.persistit.CleanupManager.poll(
	at com.persistit.CleanupManager.runTask(
[INFO] ------------------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:02 h
[INFO] Finished at: 2018-11-14T10:45:24Z
[INFO] ------------------------------------------------------------------------
[ERROR] Java heap space: failed reallocation of scalar replaced objects -> [Help 1]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1]

Hi yan,

Did you get any solution for this issue. I having same issue as well.


Hello @prasad-gowda / @ylyachman,

Would you be able to share your projects so we can investigate / debug them and understand what’s wrong?
Without that, it’s just impossible to progress. If your projects are private ones, let’s discuss by email to find a solution.


It seems from the log that you are hitting a performance issue on the security taint analyser. This is something we are already actively working on for the release of SonarQube 7.6 (to come soon).
In order to investigate and reproduce the issue what we would be mostly interested in is the binary files located in target/sonar/ucfg2/java

If you can ideally zip this and make it available (privately) to us that would be the best way for us to try to tackle the issue.
As a workaround this problem you can always deactivate the culprit rule.