Sonarsource/sonarcloud-scan:4.1.0 Hangs on Bitbucket pipelines

Hi,

We’ve been having problems running SonarCloud in our Bitbucket Pipeline since 24. February. The pipeline just hangs without any proper error. We’ve tried increasing the memory of the step and enabling verbose logging without any result or hint of what is causing the problem.

ALM used:

Bitbucket Cloud

CI system used:

Bitbucket Cloud

Scanner command used when applicable (private details masked)

definitions:
  steps:
    - step: &sonarcloud
        runs-on:
          - self.hosted
        name: Sonarcloud
        size: 4x
        caches:
          - docker
        services:
          - docker-12gb
        clone:
          depth: full
        script:
         - pipe: sonarsource/sonarcloud-scan:4.1.0
           variables:
             EXTRA_ARGS:
              - '-Dsonar.javascript.lcov.reportPaths=\"./coverage/lcov.info\"'
              - '-Dsonar.javascript.node.maxspace=8192'
              - '-Dsonar.testExecutionReportPaths=\"./test-reports/jest-test-report.xml,./test-reports/junit.xml\"'
              - '-Dsonar.coverageReportPaths=\"./coverage/test-report.xml\"'
              - '-Dsonar.verbose=true'
              - '-Dsonar.scanner.scm.echoAll=true'
             SONAR_SCANNER_OPTS: -Xmx1g
              - pipe: sonarsource/sonarcloud-quality-gate:0.2.0

  services:
    docker-12gb:
      type: docker
      memory: 12288

Languages of the repository

PHP/JS

Error observed: The analysis hangs indefinitely during the JavaScript parsing phase. No error is thrown. Even with -Dsonar.verbose=true, the logs simply stop after logging several JasminAstConsumer accepted file entries.

pipelineLog-{e2c260f0-26f7-46ef-b2b7-efa6a2fde5f9}.txt (763.9 KB)

Steps to reproduce

Happens every scan

What we have tried:

1. Memory Tuning: We are using size: 4x containers (12GB).

   • Set sonar.javascript.node.maxspace=8192

   • Set SONAR_SCANNER_OPTS=-Xmx1g

2. Regex Root Cause Search: We suspected “Catastrophic Regex Backtracking” in the AST analyzer. We found and fixed several instances where dynamic new RegExp was used inside loops, converting them to static literals and using matchAll().

3. Regex Obfuscation: We even tried obfuscating several regex strings (e.g., ['part1', 'part2'].join('')) to prevent the static analyzer from attempting to parse them, but the hang persists.

Potential Workaround: None found so far. The issue started around February 24, 2026, which seems to coincide with a SonarCloud platform update (SonarJS 12.0).

Addition:
Pipelines work for pullrequest, but fail when run on a branch.

Hi @Emil_Aura,

we saw last week that we were hitting an infinite loop under certain conditions in rule S2077, as you can see here

We will release the fix today, to be deployed in the coming days.

Can you disable that rule (or look for self-referencing declarations in your code?)?

Cheers