Specific rule taking an awesome lot of time


We’re running SQ version 8.9.8
I’m running a scan which turns out to take approx. 30 minutes. Diving deeper into the logging, it turns out one specific rule is taking approx 28 minutes of analysis time: SonarAnalyzer.Rules.CSharp.DoNotHardcodeCredentials (S2068)

2 Questions:

  • Any idea why this specific rule is using so much time.
  • Is there a way to exclude the rules via the project file (as a workarround), until I get a solution for this issue. I don’t want to change the ruleset, as other projects don’t have the same issues


Welcome to the community!

When I see a report about a rule in a non-latest version, the first thing I do is check the analyzer tickets to see if we’ve worked on the rule since the user’s version. While we’ve done some work on the rule, nothing related to performance jumps out at me, so I’m going to flag this for the developers.

You could set a rule/file exclusion but I don’t believe that keeps the rule from being run, just from being reported on the files in question.

You really would need to either exclude the files in question from analysis entirely (so yes, another type of exclusion could work) or disable the rules in the profile.

Perhaps a second Quality Profile that was assigned only to the project in question?


1 Like

Hi Ann,

thanks for the feedback. I’ll see what I can do with that second Quality Profile


1 Like

Hi @KoenRD, thanks for your feedback.

It is unexpected for DoNotHardcodeCredentials to take that long.

  • Is it anything in particular special with the code, structure wise? e.g. lots of types, arrays or identifiers?
  • Are there lots of strings or very large ones?
  • Would it be possible to create a reproducer for us?
  • Would it be possible to export a binary build log?

Thanks again,

Hi Costin

I’m only the messenger here.
I’ll pass your questions to our developer, and request for feedback.


Hi Costin,
tnx for your time. The C# solution includes 7 wcf/lib projects with 28.000 lines of code, it is really hard to understand if the problems depends from strings or number of types.
In numerical terms what do you mean by “lots”?
However, I will try to provide the binary build log as soon as possible


1 Like

Hi Costin,

Apologies for the delay. I’ll share the binary log.

SQRule.zip (869.2 KB)

Hi Costin,

Good afternoon.
Were you able to get any usefull information from this log?


Hi @KoenRD,

Thanks a lot for the logs and sorry for delayed response. Unfortunately, only now I had time to take a look.

Some notes:

  • 28k lines of code should not be an issue. The analysis should be a lot faster even on larger projects. As an example analyzing sonar-dotnet which is 73k lines of code, takes under 2 min.
  • at the first glance the problem seems to appear while analyzing the “MvcTestWebsite” project but I cannot narrow down further.

Would it be possible to do another run, this time with the -p:reportanalyzer=true property set when doing the build, and send the binary log file to us?

Something like:

dotnet build -p:reportanalyzer=true -v:diag


MsBuild.exe /t:Rebuild /p:reportanalyzer=true /v:d

This will enable verbose logging and will also log the CPU time used by the analyzers.

If you are sure that the DoNotHardcodeCredentials rule is the problem, you can disable it as a workaround until we manage to pinpoint and fix the problem. We have here a guide that explain how you can do this: The Sonar guide for investigating the performance of .NET analysis

Thank you,

Hi, as requested, the binary logs.
SQDump.zip (848.2 KB)

Hello @KoenRD

I took a look in the new bin log and it seems that the rule is having problems with the MvcTestWebsite project. The rule takes almost 100% of the analysis time for the project.

It is not clear what is causing the problem. Is it possible for you to share the MvcTestWebsite project with us? That way, we can investigate the problem on our side.

Best Martin