SonarCloud scan started failing with no code changes or rules set changes made for Angular project

Arni · February 21, 2023, 4:19pm

Template for a good new topic, formatted with Markdown:

ALM used Azure DevOps
CI system used Azure DevOps
Scanner command used when applicable (private details masked)
Languages of the repository Typescript/Html
Steps to reproduce
Run main branch or PR build. This issue also affects older code base builds which passed have pasted just two weeks ago.
Potential workaround None as of yet

Removed the inline logs due to character limit and upload text files containing both run logs.

*few edits to clean up post

Malte · March 15, 2023, 10:31am

Thank you for your report. We deployed a new version of the analyzer that is failing for you (according to your logs) on SonarCloud at the end of February. This new version specifically addresses some performance and memory issues that we observed in the context of JS/TS. Can you confirm that you are still seeing the same problem as of today?

Arni · March 16, 2023, 10:33am

Hey @Malte!
Thanks for your reply. Yes I can confirm we are still seeing this same problem as of today.

Malte · March 17, 2023, 11:26am

Thank you for confirming, @Arni !

First thing I would like to explore whether there is an infinite recursion somewhere or just a deep one that is exceeding the standard stack size.

To test this, could you try to run the analysis with a huge stack size? For this you would need to set the environment variable SONAR_SCANNER_OPTS="-Xss10m" when running the scanner command.

Arni · March 21, 2023, 12:00pm

I have attemted both with SONAR_SCANNER_OPTS=“-Xss10m” and SONAR_SCANNER_OPTS=“-Xmx2048m”. Confirmed by logs these variables were set correctly.

The pipelines ran for ~ minutes before being automatically cancelled by Azure due to hitting the upper time limit of a pipeline.

Both options logs ended with:

INFO: Reading UCFGs from: /home/vsts/work/1/s/.scannerwork/ucfg2/js
INFO: 10:56:11.596314 Building Runtime Type propagation graph
INFO: 10:56:11.648208 Running Tarjan on 6593 nodes
INFO: 10:56:11.662695 Tarjan found 6593 components
INFO: 10:56:11.684438 Variable type analysis: done
INFO: 10:56:11.687874 Building Runtime Type propagation graph
INFO: 10:56:11.769924 Running Tarjan on 6593 nodes
INFO: 10:56:11.782668 Tarjan found 6593 components
INFO: 10:56:11.795936 Variable type analysis: done
INFO: Analyzing 1198 ucfgs to detect vulnerabilities.
INFO: Taint analysis starting. Entrypoints: 127
INFO: Running symbolic analysis for ‘JS’
##[error]The operation was canceled.

Quentin · March 21, 2023, 1:05pm

Hello @Arni,

Thanks for coming back to us with more details.

Now that we confirmed that something is not behaving as expected, it would be super useful if you could provide the content of the /home/vsts/work/1/s/.scannerwork/ucfg2/js folder. It will enable us to understand exactly what is happening and be sure we find an appropriate solution.

Please do not post them here, I will reach out to you privately.

Omp · July 11, 2023, 3:52pm

Hi Quentin, it seems that Arno has sent you the requested JavaScript folder contents via email. Have you had the opportunity to review and analyze them?

Quentin · July 17, 2023, 8:49am

Hello @Omp

We had the opportunity to review them, and we managed to reproduce the error.
We had a look from different points of view, unfortunately, it was not enough to understand exactly what is happening.

We still keep this task in our backlog, we will keep you posted as soon as we have a better understanding of what is happening.

Best,
Quentin