SonarQube 7.7 - OnPremise - GC overhead limit exceeded on analyzing the rule S3649

Sonar Qube On-prem Version: Enterprise Edition Version 7.7 (build 23042)
Scanner used: [Link] (https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-msbuild/)
Scanner version: 4.6.0.1930

#Problem
SonarQube scanner for MSBuild hangs on our project when analyzing the security rules

[13:20:29]	INFO: Reading type hierarchy from: C:\cache\txm\.sonarqube\out\ucfg_cs2
[13:20:31]	INFO: Read 10190 type definitions
[13:20:31]	INFO: Reading UCFGs from: C:\cache\txm\.sonarqube\out\ucfg_cs2
[13:20:42]	INFO: 17:20:42.907 Building Type propagation graph
[13:20:43]	INFO: 17:20:43.557 Running Tarjan on 206575 nodes
[13:20:43]	INFO: 17:20:43.982 Tarjan found 205836 components
[13:20:44]	INFO: 17:20:44.748 Variable type analysis: done
[13:20:45]	INFO: Analyzing 16889 ucfgs to detect vulnerabilities.
[13:21:12]	INFO: All rules entrypoints : 170 Retained UCFGs : 2157
[13:21:12]	INFO: rule: S5131, entrypoints: 83
[13:21:16]	INFO: Visited 387 ucfgs in 3118 ms, 28550 steps
[13:21:16]	INFO: rule: S5131 done
[13:21:16]	INFO: rule: S3649, entrypoints: 25
[14:48:46]	INFO: ------------------------------------------------------------------------
[14:48:46]	INFO: EXECUTION FAILURE
[14:48:46]	INFO: ------------------------------------------------------------------------
[14:48:46]	INFO: Total time: 1:30:53.981s
[14:48:47]	INFO: Final Memory: 19M/1471M
[14:48:47]	ERROR: Error during SonarQube Scanner execution
[14:48:47]	INFO: ------------------------------------------------------------------------
[14:48:47]	ERROR: GC overhead limit exceeded
[14:48:47]	ERROR: 
[14:48:47]	The SonarQube Scanner did not complete successfully
[14:48:47]	18:48:47.307  Post-processing failed. Exit code: 1
[14:48:47]	Process exited with code 1

#Workaround 1 Increase memory

SET SONAR_SCANNER_OPTS="-Xmx4000m"

Increased the memory to 4GB, this didn’t help. Same result

#Workaround 2 Disable security rules in the sonarQube UI
I disabled the rules from SonarQube UI which generated the following SonarQubeAnalysisConfig.xml

  <Property Name="sonar.issue.ignore.multicriteria.1.resourceKey">**/*</Property>
    <Property Name="sonar.issue.ignore.multicriteria.1.ruleKey">roslyn.sonaranalyzer.security.cs:S3649</Property>
    <Property Name="sonar.issue.ignore.multicriteria.2.resourceKey">**/*</Property>
    <Property Name="sonar.issue.ignore.multicriteria.2.ruleKey">roslyn.sonaranalyzer.security.cs:S2076</Property>
    <Property Name="sonar.issue.ignore.multicriteria.3.resourceKey">**/*</Property>
    <Property Name="sonar.issue.ignore.multicriteria.3.ruleKey">roslyn.sonaranalyzer.security.cs:S2078</Property>
    <Property Name="sonar.issue.ignore.multicriteria.4.resourceKey">**/*</Property>
    <Property Name="sonar.issue.ignore.multicriteria.4.ruleKey">roslyn.sonaranalyzer.security.cs:S2083</Property>
    <Property Name="sonar.issue.ignore.multicriteria.5.resourceKey">**/*</Property>
    <Property Name="sonar.issue.ignore.multicriteria.5.ruleKey">roslyn.sonaranalyzer.security.cs:S2091</Property>
    <Property Name="sonar.issue.ignore.multicriteria.6.resourceKey">**/*</Property>
    <Property Name="sonar.issue.ignore.multicriteria.6.ruleKey">roslyn.sonaranalyzer.security.cs:S2631</Property>

However that didn’t do anything. The rules are still getting analyzed and don’t have any workaround at this point to continue.

Hello and welcome to our community

I’m a little bit confused of the SonarQubeAnalysisConfig.xml snippet you are sharing… Are you using Scanner for MSBuild for .NET Framework 4.6 (SonarScanner.MSBuild.exe)?

Regarding the disablement of security rules, this is what I did to reproduce (with sonar-scanner-msbuild-4.6.2.2108-net46 and SQ 7.7 DE)

  • I created a new Quality Profile
  • I deactivated the S3649 security rule (the one that is taking a lot of memory in your case - it’s theSQL injection rule)
  • I made the new quality profile the default one
  • I ran SonarScanner.MSBuild.exe begin /k:"MyProject" /d:sonar.verbose=true - notice I enabled verbose logging

At this point, I verified .sonarqube\conf\SonarQubeRoslyn-cs.ruleset - the Action value for the S3649 security rule. Warning means they’re enabled, None means not enabled.

As you see below, the S3649 has action None, therefore is disabled.

  <Rules AnalyzerId="SonarAnalyzer.Security" RuleNamespace="SonarAnalyzer.Security">
    <Rule Id="S2078" Action="Warning" />
    <Rule Id="S2091" Action="Warning" />
    <Rule Id="S2631" Action="Warning" />
    <Rule Id="S5146" Action="Warning" />
    <Rule Id="S5145" Action="Warning" />
    <Rule Id="S5167" Action="Warning" />
    <Rule Id="S2076" Action="Warning" />
    <Rule Id="S5131" Action="Warning" />
    <Rule Id="S5144" Action="Warning" />
    <Rule Id="S2083" Action="Warning" />
    <Rule Id="S3649" Action="None" />
  </Rules>

Then:

  • I ran MSBuild.exe .\MyProject.sln /t:Rebuild
  • I ran SonarScanner.MSBuild.exe end
  • I verified the logs, and indeed rule S3649 didn’t get applied anymore

To better understand your problem:

  • what version of Scanner for MSBuild are you using - the .NET framework or the .NET Core one?
  • what does the .sonarqube\conf\SonarQubeRoslyn-cs.ruleset file contain for the security rules?
  • inside .sonarqube\conf\SonarQubeAnalysisConfig.xml, do you have the following details?
  <AnalyzersSettings>
    <AnalyzerSettings>
      <Language>cs</Language>
      <RuleSetFilePath>path-to-project\.sonarqube\conf\SonarQubeRoslyn-cs.ruleset</RuleSetFilePath>
      <TestProjectRuleSetFilePath>path-to-project\.sonarqube\conf\SonarQubeRoslyn-cs-test.ruleset</TestProjectRuleSetFilePath>
      <AdditionalFilePaths>
        <Path>path-to-project\.sonarqube\conf\cs\SonarLint.xml</Path>
      </AdditionalFilePaths>
    </AnalyzerSettings>
1 Like

Thanks for your reply.

  1. MSBuild Scanner version 4.6.0.1930 for .Net framework
  2. The ruleset does still include the security rules
    <Rule Id="S2631" Action="Warning" />
    <Rule Id="S5146" Action="Warning" />
    <Rule Id="S5145" Action="Warning" />
    <Rule Id="S5167" Action="Warning" />
    <Rule Id="S2076" Action="Warning" />
    <Rule Id="S5131" Action="Warning" />
    <Rule Id="S5144" Action="Warning" />
    <Rule Id="S2083" Action="Warning" />
    <Rule Id="S3649" Action="Warning" />
    <Rule Id="S2091" Action="Warning" />
    <Rule Id="S2078" Action="Warning" />
  </Rules>

This probably explains why rules are still getting analyzed. Now I have disabled the rule by going to the project --> Administration --> Analysis Scope
and defined the following key/values for sonar.issue.ignore.multicriteria

Rule key pattern : roslyn.sonaranalyzer.security.cs:S3649
File Path pattern: **/*

We didn’t disable the rule from the Quality profile because it is used by all the projects, so I thought we could override in analysis scope and get the desired results for this project. This doesn’t bring the desired result. Why? If that is not what is intended for, do we have to create a separate quality profile for this project and disable the rule?

Now the next step is to understand why that rule causes issue. I did enable verbosity on a project and have the following log while analyzing S3649

[14:12:41] :	 [Step 7/7] 18:12:41.097 DEBUG: Failed to read resource file: roslyn.sonaranalyzer.security.cs/sanitizers/S3649.json
[14:12:41] :	 [Step 7/7] 18:12:41.097 DEBUG: loaded 24 sanitizers for rule S3649
[14:12:41] :	 [Step 7/7] 18:12:41.097 DEBUG: Failed to read resource file: roslyn.sonaranalyzer.security.cs/passthroughs/S3649.json
[14:12:41] :	 [Step 7/7] 18:12:41.097 DEBUG: loaded 50 spec-type for rule S3649
[14:12:41] :	 [Step 7/7] 18:12:41.097 DEBUG: Running rule roslyn.sonaranalyzer.security.cs:S3649
...
[16:19:57] :	 [Step 7/7] 20:19:57.718 DEBUG: Invoking method with ucfg : <REDACTED>
[16:20:35] :	 [Step 7/7] 20:20:35.621 DEBUG: Matching passthrough : __concat
[16:20:35] :	 [Step 7/7] 20:20:35.621 DEBUG: Matching passthrough : System.Collections.Generic.List<T>.Count.get
[16:21:28] :	 [Step 7/7] 20:21:28.723 DEBUG: Invoking method with ucfg : <REDACTED>
[16:21:54] :	 [Step 7/7] 20:21:54.711 INFO: ------------------------------------------------------------------------
[16:21:54] :	 [Step 7/7] 20:21:54.711 INFO: EXECUTION FAILURE
[16:21:54] :	 [Step 7/7] 20:21:54.711 INFO: ------------------------------------------------------------------------
[16:21:54] :	 [Step 7/7] 20:21:54.711 INFO: Total time: 2:12:31.820s
[16:21:54]W:	 [Step 7/7] 20:21:54.869 ERROR: Error during SonarQube Scanner execution
[16:21:54] :	 [Step 7/7] 20:21:54.869 INFO: Final Memory: 19M/2808M
[16:21:54] :	 [Step 7/7] 20:21:54.869 INFO: ------------------------------------------------------------------------
[16:21:54]W:	 [Step 7/7] java.lang.OutOfMemoryError: GC overhead limit exceeded
[16:21:54]W:	 [Step 7/7] 	at org.B.H.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at org.B.H.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at org.B.H.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at org.B.H.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at org.B.H.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at org.B.H.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at org.B.H.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at org.B.H.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at org.B.H.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at org.B.H.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at org.B.H.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at org.B.F.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at org.B.F.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at org.B.E.B(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at com.sonar.security.analysis.F.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at com.sonar.security.analysis.F.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at com.sonar.security.analysis.taint.A.F.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at com.sonar.security.analysis.taint.A.A.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at com.sonar.security.analysis.taint.A.D.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at com.sonar.security.analysis.taint.A.E$$Lambda$1207/1070814989.apply(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at java.util.stream.ReduceOps$1ReducingSink.accept(ReduceOps.java:80)
[16:21:54]W:	 [Step 7/7] 	at java.util.Iterator.forEachRemaining(Iterator.java:116)
[16:21:54]W:	 [Step 7/7] 	at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
[16:21:54]W:	 [Step 7/7] 	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
[16:21:54]W:	 [Step 7/7] 	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
[16:21:54]W:	 [Step 7/7] 	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
[16:21:54]W:	 [Step 7/7] 	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
[16:21:54]W:	 [Step 7/7] 	at java.util.stream.ReferencePipeline.reduce(ReferencePipeline.java:474)
[16:21:54]W:	 [Step 7/7] 	at com.sonar.security.analysis.taint.A.B.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at com.sonar.security.analysis.taint.A.E.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at com.sonar.security.analysis.taint.A.E.A(Unknown Source)
[16:21:54]W:	 [Step 7/7] 	at com.sonar.security.analysis.taint.A.E$$Lambda$1203/332603856.apply(Unknown Source)
[16:21:55] :	 [Step 7/7] Process returned exit code 1
[16:21:55]W:	 [Step 7/7] The SonarQube Scanner did not complete successfully
[16:21:55]W:	 [Step 7/7] 20:21:55.312  Post-processing failed. Exit code: 1
[16:21:55]W:	 [Step 7/7] Process exited with code 1
[16:21:56]E:	 [Step 7/7] Process exited with code 1 (Step: SonarQube end step (Command Line))
[16:21:56]E:	 [Step 7/7] Out of memory: GC overhead limit exceeded

  1. Yes, I do the settings inside SonarQubeAnalysisConfig.xml
    <AnalyzerSettings>
      <Language>cs</Language>
      <RuleSetFilePath>C:\projects\tax-management-core\.sonarqube\conf\SonarQubeRoslyn-cs.ruleset</RuleSetFilePath>
      <TestProjectRuleSetFilePath>C:\projects\tax-management-core\.sonarqube\conf\SonarQubeRoslyn-cs-test.ruleset</TestProjectRuleSetFilePath>
      <AnalyzerPlugins>
        <AnalyzerPlugin Key="csharp" Version="7.11.0.8083" StaticResourceName="SonarAnalyzer-7.11.0.8083.zip">
          <AssemblyPaths>
            <Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\0\Google.Protobuf.dll</Path>
            <Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\0\SonarAnalyzer.CSharp.dll</Path>
            <Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\0\SonarAnalyzer.dll</Path>
          </AssemblyPaths>
        </AnalyzerPlugin>
        <AnalyzerPlugin Key="vbnet" Version="7.11.0.8083" StaticResourceName="SonarAnalyzer-7.11.0.8083.zip">
          <AssemblyPaths>
            <Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\1\Google.Protobuf.dll</Path>
            <Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\1\SonarAnalyzer.dll</Path>
            <Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\1\SonarAnalyzer.VisualBasic.dll</Path>
          </AssemblyPaths>
        </AnalyzerPlugin>
        <AnalyzerPlugin Key="securitycsharpfrontend" Version="7.7.0.4011" StaticResourceName="SonarAnalyzer.Security-7.7.0.4011.zip">
          <AssemblyPaths>
            <Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\2\analyzers\dotnet\cs\Google.Protobuf.dll</Path>
            <Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\2\analyzers\dotnet\cs\SonarAnalyzer.Security.dll</Path>
          </AssemblyPaths>
        </AnalyzerPlugin>
      </AnalyzerPlugins>
      <AdditionalFilePaths>
        <Path>C:\projects\tax-management-core\.sonarqube\conf\cs\SonarLint.xml</Path>
      </AdditionalFilePaths>
    </AnalyzerSettings>
    <AnalyzerSettings>
1 Like

You did well. Indeed, disabling the rule is a temporary solution for this project only, until we will improve the performance for our taint analysis engine (that finds tricky injection flaws in the code - you can read Code Security, for Everyone for an overview)

I now understand better what you were doing. I’ll have to look into why the sonar.issue.ignore.multicriteria doesn’t get applied in this case, and will come back on this thread in case it’s a bug inside one of our tools.

To come back to the initial problem, that of unblocking the analysis for your project. Yes, the straight forward way is to create a separate quality profile for this project and disable the rule

  • create a new C# Quality Profile (without setting it to default): Quality Profiles -> C# -> SonarWay -> Copy -> give a name for the profile (like Default w/o S3649)
  • disable S3649 in the new profile
  • go to your project -> Administration -> Quality Profiles -> C# -> select the new profile you created (Default w/o S3649)
  • run a new analysis for the project

Now, the rule will not be applied anymore. This should be considered as a temporary solution for this specific project, until we find out what the problem is.

I’ll continue this discussion in a private message, to avoid sharing sensitive information on the public forum.