Taint Analysis for Javascript/Typescript project code is taking long (> 1 hour)

  • ALM used: GitHub
  • CI system used: GitHubActions
  • Languages of the repository: Javascript/TypeScript
  • Potential workaround: Copied Sonar Way Profile and excluded several security rules but running the scan still takes > 1 hour.
    And, excluding one of the directories (with < 100 files in it) in the GitHub repository drastically reduces the Taint Analysis to less that 5 minutes.
    Any help appreciated.
    Thanks.

Hi,

Could you provide a full, debug analysis log, please?

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

 
Thx,
Ann

Hi,
Please find below the log where run took ~2 hours. This is even after doing several exclusions of the Taint Analysis rules both from the Profile and the General Settings.
Thanks.

2024-04-18T23:30:03.7690551Z ##[group]Run SonarSource/sonarcloud-github-action@master
2024-04-18T23:30:03.7691172Z with:
2024-04-18T23:30:03.7693814Z   args: -Dsonar.organization=orgnamehere -Dsonar.projectKey=projectkeyhere -Dsonar.exclusions=exclusionshere -Dsonar.sources=app.js,apprender.js,appresizer.js,appsearch.js,config.js,client/,jobs/,lib/,logic/,services/ -Dsonar.tests=test/,test-client/ -Dsonar.javascript.lcov.reportPaths=./coverage/lcov.info
..
2024-04-18T23:30:05.1322653Z INFO: SonarScanner 5.0.1.3006
2024-04-18T23:30:05.1325103Z INFO: Java 17.0.10 Alpine (64-bit)
2024-04-18T23:30:05.1326085Z INFO: Linux 5.15.0-1056-azure amd64
...

2024-04-18T23:37:37.6155166Z INFO: Sensor JsSecuritySensor [security]
2024-04-18T23:37:37.6226876Z INFO: Enabled taint analysis rules: S5144, S5131, S6287, S6096, S2083, S6105, S5334, S5146, S5147, S2076, S6350, S2631, S3649, S5883, S5696
2024-04-18T23:37:37.6229078Z INFO: Load type hierarchy and UCFGs: Starting
2024-04-18T23:37:37.6230221Z INFO: Load type hierarchy: Starting
2024-04-18T23:37:37.6231575Z INFO: Reading type hierarchy from: /github/workspace/.scannerwork/ucfg2/js
2024-04-18T23:37:37.6267317Z INFO: Read 0 type definitions
2024-04-18T23:37:37.6272397Z INFO: Load type hierarchy: Time spent was 00:00:00.013
2024-04-18T23:37:37.6273616Z INFO: Load UCFGs: Starting
2024-04-18T23:37:37.6284967Z INFO: Reading UCFGs from: /github/workspace/.scannerwork/ucfg2/js
2024-04-18T23:37:44.8141470Z INFO: Load UCFGs: Time spent was 00:00:07.186
2024-04-18T23:37:44.8142337Z INFO: Load type hierarchy and UCFGs: Time spent was 00:00:07.200
2024-04-18T23:37:44.8143531Z INFO: Analyzing 15743 UCFGs to detect vulnerabilities.
2024-04-18T23:37:44.8144288Z INFO: Check cache: Starting
2024-04-18T23:37:44.8145034Z INFO: Load cache: Starting
2024-04-18T23:37:44.8148672Z INFO: Load cache: Time spent was 00:00:00.000
2024-04-18T23:37:44.8150003Z INFO: Check cache: Time spent was 00:00:00.000
2024-04-18T23:37:44.8150884Z INFO: Create runtime call graph: Starting
2024-04-18T23:37:44.8158539Z INFO: Variable Type Analysis #1: Starting
2024-04-18T23:37:44.8169320Z INFO: Create runtime type propagation graph: Starting
2024-04-18T23:37:45.9157629Z INFO: Create runtime type propagation graph: Time spent was 00:00:01.098
2024-04-18T23:37:45.9162274Z INFO: Run SCC (Tarjan) on 99006 nodes: Starting
2024-04-18T23:37:46.0848852Z INFO: Run SCC (Tarjan) on 99006 nodes: Time spent was 00:00:00.168
2024-04-18T23:37:46.0850428Z INFO: Tarjan found 98971 strongly connected components
2024-04-18T23:37:46.0851835Z INFO: Propagate runtime types to strongly connected components: Starting
2024-04-18T23:37:46.4301489Z INFO: Propagate runtime types to strongly connected components: Time spent was 00:00:00.344
2024-04-18T23:37:46.4303606Z INFO: Variable Type Analysis #1: Time spent was 00:00:01.613
2024-04-18T23:37:46.4334466Z INFO: Variable Type Analysis #2: Starting
2024-04-18T23:37:46.4335692Z INFO: Create runtime type propagation graph: Starting
2024-04-18T23:37:47.6882119Z INFO: Create runtime type propagation graph: Time spent was 00:00:01.254
2024-04-18T23:37:47.6883458Z INFO: Run SCC (Tarjan) on 99006 nodes: Starting
2024-04-18T23:37:47.8688580Z INFO: Run SCC (Tarjan) on 99006 nodes: Time spent was 00:00:00.180
2024-04-18T23:37:47.8689493Z INFO: Tarjan found 98971 strongly connected components
2024-04-18T23:37:47.8690384Z INFO: Propagate runtime types to strongly connected components: Starting
2024-04-18T23:37:48.2811101Z INFO: Propagate runtime types to strongly connected components: Time spent was 00:00:00.411
2024-04-18T23:37:48.2812980Z INFO: Variable Type Analysis #2: Time spent was 00:00:01.847
2024-04-18T23:37:48.2973362Z INFO: Create runtime call graph: Time spent was 00:00:03.481
2024-04-18T23:37:48.2974512Z INFO: Load config: Starting
2024-04-18T23:37:48.4910839Z INFO: Load config: Time spent was 00:00:00.193
2024-04-18T23:37:48.4911998Z INFO: Compute entry points: Starting
2024-04-18T23:37:56.1439438Z INFO: Compute entry points: Time spent was 00:00:07.653
2024-04-18T23:37:56.1440612Z INFO: All rules entry points : 568
2024-04-18T23:37:56.1441494Z INFO: Slice call graph: Starting
2024-04-18T23:37:56.1446883Z INFO: Slice call graph: Time spent was 00:00:00.000
2024-04-18T23:37:56.1448704Z INFO: Live variable analysis: Starting
2024-04-18T23:37:59.0742311Z INFO: Live variable analysis: Time spent was 00:00:02.929
2024-04-18T23:37:59.0746881Z INFO: Taint analysis for js: Starting
2024-04-18T23:38:00.3186898Z INFO: 0 / 15743 UCFGs simulated, memory usage: 516 MB
2024-04-18T23:38:02.9862122Z INFO: 49 / 15743 UCFGs simulated, memory usage: 1400 MB
2024-04-18T23:38:21.5837367Z INFO: 268 / 15743 UCFGs simulated, memory usage: 2433 MB
2024-04-18T23:39:10.6935911Z INFO: 511 / 15743 UCFGs simulated, memory usage: 2299 MB
2024-04-18T23:39:18.4530358Z INFO: 615 / 15743 UCFGs simulated, memory usage: 757 MB
2024-04-18T23:39:22.8301234Z INFO: 838 / 15743 UCFGs simulated, memory usage: 1741 MB
2024-04-18T23:39:48.4093309Z INFO: 1125 / 15743 UCFGs simulated, memory usage: 1447 MB
2024-04-18T23:40:08.8003508Z INFO: 1344 / 15743 UCFGs simulated, memory usage: 1621 MB
2024-04-18T23:40:35.4276722Z INFO: 1587 / 15743 UCFGs simulated, memory usage: 1292 MB
2024-04-18T23:42:09.7642815Z INFO: 1740 / 15743 UCFGs simulated, memory usage: 975 MB
2024-04-18T23:42:47.0135441Z INFO: 1963 / 15743 UCFGs simulated, memory usage: 3050 MB
2024-04-18T23:42:59.0878742Z INFO: 2169 / 15743 UCFGs simulated, memory usage: 983 MB
2024-04-18T23:43:32.4889984Z INFO: 2281 / 15743 UCFGs simulated, memory usage: 3199 MB
2024-04-18T23:43:59.0541911Z INFO: 2396 / 15743 UCFGs simulated, memory usage: 1050 MB
2024-04-18T23:44:27.1786351Z INFO: 2559 / 15743 UCFGs simulated, memory usage: 2150 MB
2024-04-18T23:45:53.0149051Z INFO: 2706 / 15743 UCFGs simulated, memory usage: 1386 MB
2024-04-18T23:46:15.8451757Z INFO: 2853 / 15743 UCFGs simulated, memory usage: 2322 MB
2024-04-18T23:46:44.4838321Z INFO: 2979 / 15743 UCFGs simulated, memory usage: 2961 MB
2024-04-18T23:47:13.5094306Z INFO: 3074 / 15743 UCFGs simulated, memory usage: 1236 MB
2024-04-18T23:47:44.8383786Z INFO: 3227 / 15743 UCFGs simulated, memory usage: 1040 MB
2024-04-18T23:48:18.5423830Z INFO: 3337 / 15743 UCFGs simulated, memory usage: 3239 MB
2024-04-19T00:09:24.8897387Z INFO: 3339 / 15743 UCFGs simulated, memory usage: 3264 MB
2024-04-19T00:32:37.3010209Z INFO: 3339 / 15743 UCFGs simulated, memory usage: 1827 MB
2024-04-19T00:54:28.8393384Z INFO: 3339 / 15743 UCFGs simulated, memory usage: 3289 MB
2024-04-19T01:16:37.3825931Z INFO: 3339 / 15743 UCFGs simulated, memory usage: 1758 MB
2024-04-19T01:26:11.2077739Z INFO: 3454 / 15743 UCFGs simulated, memory usage: 2610 MB
2024-04-19T01:26:12.5246070Z INFO: 3700 / 15743 UCFGs simulated, memory usage: 1358 MB
2024-04-19T01:26:23.1661427Z INFO: 3772 / 15743 UCFGs simulated, memory usage: 2744 MB
2024-04-19T01:26:23.5823406Z INFO: 3787 / 15743 UCFGs simulated, memory usage: 3136 MB
2024-04-19T01:26:23.5828062Z INFO: Taint analysis for js: Time spent was 01:48:24.507
2024-04-19T01:26:23.5830897Z INFO: Report issues: Starting
2024-04-19T01:26:23.5901221Z INFO: Report issues: Time spent was 00:00:00.007
2024-04-19T01:26:23.5902241Z INFO: Store cache: Starting
2024-04-19T01:26:23.6194404Z INFO: Store cache: Time spent was 00:00:00.028
2024-04-19T01:26:23.6195678Z INFO: js security sensor: Time spent was 01:48:46.005
2024-04-19T01:26:23.6229677Z INFO: js security sensor: Begin: 2024-04-18T23:37:37.612828166Z, End: 2024-04-19T01:26:23.618792379Z, Duration: 01:48:46.005
2024-04-19T01:26:23.6232851Z   Load type hierarchy and UCFGs: Begin: 2024-04-18T23:37:37.613134973Z, End: 2024-04-18T23:37:44.813449353Z, Duration: 00:00:07.200
2024-04-19T01:26:23.6236111Z     Load type hierarchy: Begin: 2024-04-18T23:37:37.613160874Z, End: 2024-04-18T23:37:37.626443187Z, Duration: 00:00:00.013
2024-04-19T01:26:23.6239609Z     Load UCFGs: Begin: 2024-04-18T23:37:37.626826996Z, End: 2024-04-18T23:37:44.813047743Z, Duration: 00:00:07.186
2024-04-19T01:26:23.6242266Z   Check cache: Begin: 2024-04-18T23:37:44.813615157Z, End: 2024-04-18T23:37:44.814352374Z, Duration: 00:00:00.000
2024-04-19T01:26:23.6245120Z     Load cache: Begin: 2024-04-18T23:37:44.813651557Z, End: 2024-04-18T23:37:44.813716459Z, Duration: 00:00:00.000
2024-04-19T01:26:23.6248188Z   Create runtime call graph: Begin: 2024-04-18T23:37:44.814549879Z, End: 2024-04-18T23:37:48.295575044Z, Duration: 00:00:03.481
2024-04-19T01:26:23.6251359Z     Variable Type Analysis #1: Begin: 2024-04-18T23:37:44.815499801Z, End: 2024-04-18T23:37:46.428688915Z, Duration: 00:00:01.613
2024-04-19T01:26:23.6254735Z       Create runtime type propagation graph: Begin: 2024-04-18T23:37:44.816617528Z, End: 2024-04-18T23:37:45.914830575Z, Duration: 00:00:01.098
2024-04-19T01:26:23.6258755Z       Run SCC (Tarjan) on 99006 nodes: Begin: 2024-04-18T23:37:45.915722196Z, End: 2024-04-18T23:37:46.083926670Z, Duration: 00:00:00.168
2024-04-19T01:26:23.6262400Z       Propagate runtime types to strongly connected components: Begin: 2024-04-18T23:37:46.084305079Z, End: 2024-04-18T23:37:46.428352807Z, Duration: 00:00:00.344
2024-04-19T01:26:23.6266172Z     Variable Type Analysis #2: Begin: 2024-04-18T23:37:46.432432004Z, End: 2024-04-18T23:37:48.279640267Z, Duration: 00:00:01.847
2024-04-19T01:26:23.6269446Z       Create runtime type propagation graph: Begin: 2024-04-18T23:37:46.432504205Z, End: 2024-04-18T23:37:47.687108348Z, Duration: 00:00:01.254
2024-04-19T01:26:23.6272767Z       Run SCC (Tarjan) on 99006 nodes: Begin: 2024-04-18T23:37:47.687541858Z, End: 2024-04-18T23:37:47.867828924Z, Duration: 00:00:00.180
2024-04-19T01:26:23.6276405Z       Propagate runtime types to strongly connected components: Begin: 2024-04-18T23:37:47.868215033Z, End: 2024-04-18T23:37:48.279322659Z, Duration: 00:00:00.411
2024-04-19T01:26:23.6279857Z   Load config: Begin: 2024-04-18T23:37:48.295895151Z, End: 2024-04-18T23:37:48.489255726Z, Duration: 00:00:00.193
2024-04-19T01:26:23.6283022Z   Compute entry points: Begin: 2024-04-18T23:37:48.489822839Z, End: 2024-04-18T23:37:56.142929729Z, Duration: 00:00:07.653
2024-04-19T01:26:23.6286069Z   Slice call graph: Begin: 2024-04-18T23:37:56.143277337Z, End: 2024-04-18T23:37:56.143310137Z, Duration: 00:00:00.000
2024-04-19T01:26:23.6289043Z   Live variable analysis: Begin: 2024-04-18T23:37:56.143439740Z, End: 2024-04-18T23:37:59.073184499Z, Duration: 00:00:02.929
2024-04-19T01:26:23.6292105Z   Taint analysis for js: Begin: 2024-04-18T23:37:59.073952317Z, End: 2024-04-19T01:26:23.581743304Z, Duration: 01:48:24.507
2024-04-19T01:26:23.6294953Z   Report issues: Begin: 2024-04-19T01:26:23.582162814Z, End: 2024-04-19T01:26:23.589536388Z, Duration: 00:00:00.007
2024-04-19T01:26:23.6297680Z   Store cache: Begin: 2024-04-19T01:26:23.589695192Z, End: 2024-04-19T01:26:23.618594474Z, Duration: 00:00:00.028
2024-04-19T01:26:23.6299562Z INFO: js security sensor peak memory: 3776 MB
2024-04-19T01:26:23.6300969Z INFO: Sensor JsSecuritySensor [security] (done) | time=6526008ms

Hi,

Thanks for that. I’ve flagged this for more expert eyes.

 
Ann

1 Like

Hello @montanoeuse

Thanks for reaching out and providing the analysis logs; they help to better identify the situation. As you correctly identified, it seems that only a subset of the code is responsible for most of the time spent. I have a few additional questions:

  • I guess your project is not open-source, right?
  • Is your project a web application (usually written with Express in the case of JS/TS)?
    • I’m asking because taint analysis rules are only relevant for web applications, if it is not, it is fair to disable the taint rules (see the end of my post).
  • It seems the analysis is hitting a memory limit of around 3 GB. Can you check if it is possible to increase the memory allocated for the analysis?

At this point, in order to understand the problem further, we need a way to reproduce it. As providing the source code is probably not possible, we can typically use the UCFGs of the analysis.

  • They are located in /github/workspace/.scannerwork/ucfg2/js, as the logs suggest.
  • Would it be possible to reach out to me (privately), to provide the content of this folder?
    • In case it is too big, you can try to reduce the scope to the 100 files you identified to be slow, for example.

Additional information, in the meantime.

  • Taint analysis rules are “all or nothing”. It will run if at least one rule is enabled. In order to not run this part of the analysis, you will have to disable all taint rules. They can be easily identified in the logs you linked: Enabled taint analysis rules: S5144, S5131, S6287, S6096, S2083, S6105, S5334, S5146, S5147, S2076, S6350, S2631, S3649, S5883, S5696. Disabling all of them should do the trick. It should be a workaround, please keep in mind to re-enable them eventually. :wink:

I hope it clarifies the situation.

Best,
Quentin

Thanks for your quick reply. I appreciate it, @Quentin
Yes, not open-source but its JS/TS application.
I have disabled taint analysis by including all the rules as suggested.
I’ll provide more updates later and get you some of the UCFG files.

Cheers,

Even after adding the “Ignore Issues on Multiple Criteria” the scan still takes ~2 hours

I split all the 15 rules into 5 lines as shown above. Is that not handled or i have to put it on a single line. Strange.

Ignore Issues is to ignore the findings, it will not prevent the execution of the analyzer.

In order to disable rules, you will have to modify the Quality Profile.

For example, extending the default quality profile and disabling the rule mentioned before.