Sonar Qube On-prem Version: Enterprise Edition Version 7.7 (build 23042)
Scanner used: [Link] (https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-msbuild/)
Scanner version: 4.6.0.1930
#Problem
SonarQube scanner for MSBuild hangs on our project when analyzing the security rules
[13:20:29] INFO: Reading type hierarchy from: C:\cache\txm\.sonarqube\out\ucfg_cs2
[13:20:31] INFO: Read 10190 type definitions
[13:20:31] INFO: Reading UCFGs from: C:\cache\txm\.sonarqube\out\ucfg_cs2
[13:20:42] INFO: 17:20:42.907 Building Type propagation graph
[13:20:43] INFO: 17:20:43.557 Running Tarjan on 206575 nodes
[13:20:43] INFO: 17:20:43.982 Tarjan found 205836 components
[13:20:44] INFO: 17:20:44.748 Variable type analysis: done
[13:20:45] INFO: Analyzing 16889 ucfgs to detect vulnerabilities.
[13:21:12] INFO: All rules entrypoints : 170 Retained UCFGs : 2157
[13:21:12] INFO: rule: S5131, entrypoints: 83
[13:21:16] INFO: Visited 387 ucfgs in 3118 ms, 28550 steps
[13:21:16] INFO: rule: S5131 done
[13:21:16] INFO: rule: S3649, entrypoints: 25
[14:48:46] INFO: ------------------------------------------------------------------------
[14:48:46] INFO: EXECUTION FAILURE
[14:48:46] INFO: ------------------------------------------------------------------------
[14:48:46] INFO: Total time: 1:30:53.981s
[14:48:47] INFO: Final Memory: 19M/1471M
[14:48:47] ERROR: Error during SonarQube Scanner execution
[14:48:47] INFO: ------------------------------------------------------------------------
[14:48:47] ERROR: GC overhead limit exceeded
[14:48:47] ERROR:
[14:48:47] The SonarQube Scanner did not complete successfully
[14:48:47] 18:48:47.307 Post-processing failed. Exit code: 1
[14:48:47] Process exited with code 1
#Workaround 1 Increase memory
SET SONAR_SCANNER_OPTS="-Xmx4000m"
Increased the memory to 4GB, this didn’t help. Same result
#Workaround 2 Disable security rules in the sonarQube UI
I disabled the rules from SonarQube UI which generated the following SonarQubeAnalysisConfig.xml
<Property Name="sonar.issue.ignore.multicriteria.1.resourceKey">**/*</Property>
<Property Name="sonar.issue.ignore.multicriteria.1.ruleKey">roslyn.sonaranalyzer.security.cs:S3649</Property>
<Property Name="sonar.issue.ignore.multicriteria.2.resourceKey">**/*</Property>
<Property Name="sonar.issue.ignore.multicriteria.2.ruleKey">roslyn.sonaranalyzer.security.cs:S2076</Property>
<Property Name="sonar.issue.ignore.multicriteria.3.resourceKey">**/*</Property>
<Property Name="sonar.issue.ignore.multicriteria.3.ruleKey">roslyn.sonaranalyzer.security.cs:S2078</Property>
<Property Name="sonar.issue.ignore.multicriteria.4.resourceKey">**/*</Property>
<Property Name="sonar.issue.ignore.multicriteria.4.ruleKey">roslyn.sonaranalyzer.security.cs:S2083</Property>
<Property Name="sonar.issue.ignore.multicriteria.5.resourceKey">**/*</Property>
<Property Name="sonar.issue.ignore.multicriteria.5.ruleKey">roslyn.sonaranalyzer.security.cs:S2091</Property>
<Property Name="sonar.issue.ignore.multicriteria.6.resourceKey">**/*</Property>
<Property Name="sonar.issue.ignore.multicriteria.6.ruleKey">roslyn.sonaranalyzer.security.cs:S2631</Property>
However that didn’t do anything. The rules are still getting analyzed and don’t have any workaround at this point to continue.
Hello and welcome to our community
I’m a little bit confused of the SonarQubeAnalysisConfig.xml
snippet you are sharing… Are you using Scanner for MSBuild for .NET Framework 4.6 (SonarScanner.MSBuild.exe
)?
Regarding the disablement of security rules, this is what I did to reproduce (with sonar-scanner-msbuild-4.6.2.2108-net46 and SQ 7.7 DE)
- I created a new Quality Profile
- I deactivated the
S3649
security rule (the one that is taking a lot of memory in your case - it’s theSQL injection rule)
- I made the new quality profile the default one
- I ran
SonarScanner.MSBuild.exe begin /k:"MyProject" /d:sonar.verbose=true
- notice I enabled verbose logging
At this point, I verified .sonarqube\conf\SonarQubeRoslyn-cs.ruleset
- the Action
value for the S3649 security rule. Warning
means they’re enabled, None
means not enabled.
As you see below, the S3649
has action None
, therefore is disabled.
<Rules AnalyzerId="SonarAnalyzer.Security" RuleNamespace="SonarAnalyzer.Security">
<Rule Id="S2078" Action="Warning" />
<Rule Id="S2091" Action="Warning" />
<Rule Id="S2631" Action="Warning" />
<Rule Id="S5146" Action="Warning" />
<Rule Id="S5145" Action="Warning" />
<Rule Id="S5167" Action="Warning" />
<Rule Id="S2076" Action="Warning" />
<Rule Id="S5131" Action="Warning" />
<Rule Id="S5144" Action="Warning" />
<Rule Id="S2083" Action="Warning" />
<Rule Id="S3649" Action="None" />
</Rules>
Then:
- I ran
MSBuild.exe .\MyProject.sln /t:Rebuild
- I ran
SonarScanner.MSBuild.exe end
- I verified the logs, and indeed rule
S3649
didn’t get applied anymore
To better understand your problem:
- what version of Scanner for MSBuild are you using - the .NET framework or the .NET Core one?
- what does the
.sonarqube\conf\SonarQubeRoslyn-cs.ruleset
file contain for the security rules?
- inside
.sonarqube\conf\SonarQubeAnalysisConfig.xml
, do you have the following details?
<AnalyzersSettings>
<AnalyzerSettings>
<Language>cs</Language>
<RuleSetFilePath>path-to-project\.sonarqube\conf\SonarQubeRoslyn-cs.ruleset</RuleSetFilePath>
<TestProjectRuleSetFilePath>path-to-project\.sonarqube\conf\SonarQubeRoslyn-cs-test.ruleset</TestProjectRuleSetFilePath>
<AdditionalFilePaths>
<Path>path-to-project\.sonarqube\conf\cs\SonarLint.xml</Path>
</AdditionalFilePaths>
</AnalyzerSettings>
1 Like
Thanks for your reply.
- MSBuild Scanner version 4.6.0.1930 for .Net framework
- The ruleset does still include the security rules
<Rule Id="S2631" Action="Warning" />
<Rule Id="S5146" Action="Warning" />
<Rule Id="S5145" Action="Warning" />
<Rule Id="S5167" Action="Warning" />
<Rule Id="S2076" Action="Warning" />
<Rule Id="S5131" Action="Warning" />
<Rule Id="S5144" Action="Warning" />
<Rule Id="S2083" Action="Warning" />
<Rule Id="S3649" Action="Warning" />
<Rule Id="S2091" Action="Warning" />
<Rule Id="S2078" Action="Warning" />
</Rules>
This probably explains why rules are still getting analyzed. Now I have disabled the rule by going to the project --> Administration --> Analysis Scope
and defined the following key/values for sonar.issue.ignore.multicriteria
Rule key pattern : roslyn.sonaranalyzer.security.cs:S3649
File Path pattern: **/*
We didn’t disable the rule from the Quality profile because it is used by all the projects, so I thought we could override in analysis scope and get the desired results for this project. This doesn’t bring the desired result. Why? If that is not what is intended for, do we have to create a separate quality profile for this project and disable the rule?
Now the next step is to understand why that rule causes issue. I did enable verbosity on a project and have the following log while analyzing S3649
[14:12:41] : [Step 7/7] 18:12:41.097 DEBUG: Failed to read resource file: roslyn.sonaranalyzer.security.cs/sanitizers/S3649.json
[14:12:41] : [Step 7/7] 18:12:41.097 DEBUG: loaded 24 sanitizers for rule S3649
[14:12:41] : [Step 7/7] 18:12:41.097 DEBUG: Failed to read resource file: roslyn.sonaranalyzer.security.cs/passthroughs/S3649.json
[14:12:41] : [Step 7/7] 18:12:41.097 DEBUG: loaded 50 spec-type for rule S3649
[14:12:41] : [Step 7/7] 18:12:41.097 DEBUG: Running rule roslyn.sonaranalyzer.security.cs:S3649
...
[16:19:57] : [Step 7/7] 20:19:57.718 DEBUG: Invoking method with ucfg : <REDACTED>
[16:20:35] : [Step 7/7] 20:20:35.621 DEBUG: Matching passthrough : __concat
[16:20:35] : [Step 7/7] 20:20:35.621 DEBUG: Matching passthrough : System.Collections.Generic.List<T>.Count.get
[16:21:28] : [Step 7/7] 20:21:28.723 DEBUG: Invoking method with ucfg : <REDACTED>
[16:21:54] : [Step 7/7] 20:21:54.711 INFO: ------------------------------------------------------------------------
[16:21:54] : [Step 7/7] 20:21:54.711 INFO: EXECUTION FAILURE
[16:21:54] : [Step 7/7] 20:21:54.711 INFO: ------------------------------------------------------------------------
[16:21:54] : [Step 7/7] 20:21:54.711 INFO: Total time: 2:12:31.820s
[16:21:54]W: [Step 7/7] 20:21:54.869 ERROR: Error during SonarQube Scanner execution
[16:21:54] : [Step 7/7] 20:21:54.869 INFO: Final Memory: 19M/2808M
[16:21:54] : [Step 7/7] 20:21:54.869 INFO: ------------------------------------------------------------------------
[16:21:54]W: [Step 7/7] java.lang.OutOfMemoryError: GC overhead limit exceeded
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.F.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.F.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.E.B(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.F.A(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.F.A(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.taint.A.F.A(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.taint.A.A.A(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.taint.A.D.A(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.taint.A.E$$Lambda$1207/1070814989.apply(Unknown Source)
[16:21:54]W: [Step 7/7] at java.util.stream.ReduceOps$1ReducingSink.accept(ReduceOps.java:80)
[16:21:54]W: [Step 7/7] at java.util.Iterator.forEachRemaining(Iterator.java:116)
[16:21:54]W: [Step 7/7] at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
[16:21:54]W: [Step 7/7] at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
[16:21:54]W: [Step 7/7] at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
[16:21:54]W: [Step 7/7] at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
[16:21:54]W: [Step 7/7] at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
[16:21:54]W: [Step 7/7] at java.util.stream.ReferencePipeline.reduce(ReferencePipeline.java:474)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.taint.A.B.A(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.taint.A.E.A(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.taint.A.E.A(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.taint.A.E$$Lambda$1203/332603856.apply(Unknown Source)
[16:21:55] : [Step 7/7] Process returned exit code 1
[16:21:55]W: [Step 7/7] The SonarQube Scanner did not complete successfully
[16:21:55]W: [Step 7/7] 20:21:55.312 Post-processing failed. Exit code: 1
[16:21:55]W: [Step 7/7] Process exited with code 1
[16:21:56]E: [Step 7/7] Process exited with code 1 (Step: SonarQube end step (Command Line))
[16:21:56]E: [Step 7/7] Out of memory: GC overhead limit exceeded
- Yes, I do the settings inside SonarQubeAnalysisConfig.xml
<AnalyzerSettings>
<Language>cs</Language>
<RuleSetFilePath>C:\projects\tax-management-core\.sonarqube\conf\SonarQubeRoslyn-cs.ruleset</RuleSetFilePath>
<TestProjectRuleSetFilePath>C:\projects\tax-management-core\.sonarqube\conf\SonarQubeRoslyn-cs-test.ruleset</TestProjectRuleSetFilePath>
<AnalyzerPlugins>
<AnalyzerPlugin Key="csharp" Version="7.11.0.8083" StaticResourceName="SonarAnalyzer-7.11.0.8083.zip">
<AssemblyPaths>
<Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\0\Google.Protobuf.dll</Path>
<Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\0\SonarAnalyzer.CSharp.dll</Path>
<Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\0\SonarAnalyzer.dll</Path>
</AssemblyPaths>
</AnalyzerPlugin>
<AnalyzerPlugin Key="vbnet" Version="7.11.0.8083" StaticResourceName="SonarAnalyzer-7.11.0.8083.zip">
<AssemblyPaths>
<Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\1\Google.Protobuf.dll</Path>
<Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\1\SonarAnalyzer.dll</Path>
<Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\1\SonarAnalyzer.VisualBasic.dll</Path>
</AssemblyPaths>
</AnalyzerPlugin>
<AnalyzerPlugin Key="securitycsharpfrontend" Version="7.7.0.4011" StaticResourceName="SonarAnalyzer.Security-7.7.0.4011.zip">
<AssemblyPaths>
<Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\2\analyzers\dotnet\cs\Google.Protobuf.dll</Path>
<Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\2\analyzers\dotnet\cs\SonarAnalyzer.Security.dll</Path>
</AssemblyPaths>
</AnalyzerPlugin>
</AnalyzerPlugins>
<AdditionalFilePaths>
<Path>C:\projects\tax-management-core\.sonarqube\conf\cs\SonarLint.xml</Path>
</AdditionalFilePaths>
</AnalyzerSettings>
<AnalyzerSettings>
1 Like
You did well. Indeed, disabling the rule is a temporary solution for this project only, until we will improve the performance for our taint analysis engine (that finds tricky injection flaws in the code - you can read Code Security, for Everyone for an overview)
I now understand better what you were doing. I’ll have to look into why the sonar.issue.ignore.multicriteria
doesn’t get applied in this case, and will come back on this thread in case it’s a bug inside one of our tools.
To come back to the initial problem, that of unblocking the analysis for your project. Yes, the straight forward way is to create a separate quality profile for this project and disable the rule
- create a new C# Quality Profile (without setting it to default): Quality Profiles → C# → SonarWay → Copy → give a name for the profile (like
Default w/o S3649
)
- disable
S3649
in the new profile
- go to your project → Administration → Quality Profiles → C# → select the new profile you created (
Default w/o S3649
)
- run a new analysis for the project
Now, the rule will not be applied anymore. This should be considered as a temporary solution for this specific project, until we find out what the problem is.
I’ll continue this discussion in a private message, to avoid sharing sensitive information on the public forum.