We’re running SQ version 8.9.8
I’m running a scan which turns out to take approx. 30 minutes. Diving deeper into the logging, it turns out one specific rule is taking approx 28 minutes of analysis time: SonarAnalyzer.Rules.CSharp.DoNotHardcodeCredentials (S2068)
2 Questions:
Any idea why this specific rule is using so much time.
Is there a way to exclude the rules via the project file (as a workarround), until I get a solution for this issue. I don’t want to change the ruleset, as other projects don’t have the same issues
When I see a report about a rule in a non-latest version, the first thing I do is check the analyzer tickets to see if we’ve worked on the rule since the user’s version. While we’ve done some work on the rule, nothing related to performance jumps out at me, so I’m going to flag this for the developers.
You could set a rule/file exclusion but I don’t believe that keeps the rule from being run, just from being reported on the files in question.
You really would need to either exclude the files in question from analysis entirely (so yes, another type of exclusion could work) or disable the rules in the profile.
Perhaps a second Quality Profile that was assigned only to the project in question?
Hi Costin,
tnx for your time. The C# solution includes 7 wcf/lib projects with 28.000 lines of code, it is really hard to understand if the problems depends from strings or number of types.
In numerical terms what do you mean by “lots”?
However, I will try to provide the binary build log as soon as possible
Thanks a lot for the logs and sorry for delayed response. Unfortunately, only now I had time to take a look.
Some notes:
28k lines of code should not be an issue. The analysis should be a lot faster even on larger projects. As an example analyzing sonar-dotnet which is 73k lines of code, takes under 2 min.
at the first glance the problem seems to appear while analyzing the “MvcTestWebsite” project but I cannot narrow down further.
Would it be possible to do another run, this time with the -p:reportanalyzer=true property set when doing the build, and send the binary log file to us?
This will enable verbose logging and will also log the CPU time used by the analyzers.
If you are sure that the DoNotHardcodeCredentials rule is the problem, you can disable it as a workaround until we manage to pinpoint and fix the problem. We have here a guide that explain how you can do this: The Sonar guide for investigating the performance of .NET analysis
I took a look in the new bin log and it seems that the rule is having problems with the MvcTestWebsite project. The rule takes almost 100% of the analysis time for the project.
It is not clear what is causing the problem. Is it possible for you to share the MvcTestWebsite project with us? That way, we can investigate the problem on our side.