Taint analysis for JS repo takes long time

Sumit_Singh2 · February 12, 2026, 6:07am

Hi team,

We’ve been facing a persistent issue with JS taint analysis in SonarQube.

One of our repositories takes over an hour to complete the scan and even started taking 24 hours after which we reverted some of the code, while other repositories finish within 1–2 minutes.

We are running SonarQube Developer Edition v2025.4.1 via Helm on Kubernetes, and we’ve already tried the following steps:
• I have raised a community support earlier as well for the same repo which was resolved by enabling jasmin sensor and then it used to take 30-40 mins, but it again increased to 60 mins now. link

• Tried increasing heap size where scan is running to 10GB, no difference in scan time

Despite these efforts, the scan time hasn’t improved.

Need help in analyzing why it is taking 60 min now and why taint analysis time increased to 24 hours after 1 new file addition

INFO: Sensor JsSecuritySensorV2 [jasmin]

INFO: JasminAstConsumer is enabled by property

INFO: 202 file(s) will be analysed by SonarJasmin.

INFO: Analysis progress:   9% (20/202 files)

INFO: Analysis progress:  19% (40/202 files)

INFO: Analysis progress:  29% (60/202 files)

INFO: Analysis progress:  39% (80/202 files)

INFO: Analysis progress:  49% (100/202 files)

INFO: Analysis progress:  59% (120/202 files)

INFO: Analysis progress:  69% (140/202 files)

INFO: Analysis progress:  79% (160/202 files)

INFO: Analysis progress:  89% (180/202 files)

INFO: Analysis progress:  99% (200/202 files)

INFO: Sensor JsSecuritySensorV2 [jasmin] (done) | time=3480520ms

ganncamp · February 13, 2026, 4:57pm

Hi,

First, can you try allocating more memory, using sonar.javascript.node.maxspace? A minimum of 4Gb is recommended, but for larger projects you may need more.

HTH,
Ann

Sumit_Singh2 · February 16, 2026, 7:20am

Hi @ganncamp ,

we have already tried increasing heap size upto 12GB but no difference in scan time

here are the latest logs with 8GB:

<sonar.javascript.node.maxspace=8192>

INFO: Configured Node.js --max-old-space-size=8192.

206 file(s) will be analysed by SonarJasmin.
INFO: Analysis progress: 9% (20/206 files)
INFO: Analysis progress: 19% (40/206 files)
INFO: Analysis progress: 29% (60/206 files)
INFO: Analysis progress: 38% (80/206 files)
INFO: Analysis progress: 48% (100/206 files)
INFO: Analysis progress: 58% (120/206 files)
INFO: Analysis progress: 67% (140/206 files)
INFO: Analysis progress: 77% (160/206 files)
INFO: Analysis progress: 87% (180/206 files)
INFO: Analysis progress: 97% (200/206 files)
INFO: Sensor JsSecuritySensorV2 [jasmin] (done) | time=5485067ms

ganncamp · February 17, 2026, 3:03pm

Hi,

Thanks for trying. Can you add -Dsonar.verbose=true to your analysis command line and provide the full log, redacted as necessary?

Thx,
Ann

Sumit_Singh2 · February 23, 2026, 9:30am

Hi @ganncamp

Here are the debug logs:

logs-debug.txt (689.9 KB)

ganncamp · February 23, 2026, 1:41pm

Hi,

Thanks for the log. I need to confirm what I’m seeing here. This looks like a 2-hour jump…?

05:48:29.762 DEBUG: Analyzing /home/jenkins/agent/workspace/EXTRAS/sonarqube-all/sonarqube-all-scanning/src/index.js (24/206)
07:14:30.497 DEBUG: Analyzing /home/jenkins/agent/workspace/EXTRAS/sonarqube-all/sonarqube-all-scanning/src/lifecycle/database/index.js (25/206)

You didn’t do any editing here, right?

And what can you tell me about sonarqube-all/sonarqube-all-scanning/src/index.js?

Thx,
Ann

Sumit_Singh2 · February 24, 2026, 5:21am

Hi @ganncamp ,

yeah it is correct, our taint analysis seems stuck at this file everytime and then completes after 1 - 1.5 hours. it is always the same behaviour

summary of src/index.js

Boots the application: loads configuration (nconf), environment-specific JSON files, and reads several key files.
Initializes core subsystems and instrumentation: error handling, Redis client, authorization middleware, rate limiter, Mongoose (DB), archive DB connection, emailer templates, validator updates, and optional heap profiler.
Starts an HTTP server, registers signal handlers (SIGINT/SIGTERM) and global unhandledRejection logging, and exposes server readiness flags.
Exports createServer and init for tests/consumers.

In short this file will initialize all the dependencies and start the server.

ganncamp · February 24, 2026, 1:20pm

Hi,

How long is this file? Is there a tsconfig.json file in your project? (E.G.)

Thx,
Ann

Sumit_Singh2 · February 25, 2026, 6:07am

Hi,

src/index.js → 179 lines of code for initializing and starting server

and there is no tsconfig.json in the project.

ganncamp · February 25, 2026, 1:23pm

Hi,

Thanks for those details. On the face of it, 179 lines doesn’t seem egregious, but I suppose each of those lines is … heavy.

BTW, I’ve since learned that while having a tsconfig.json can make the regular JS analysis more efficient, it has no impact on the taint analysis pass.

Anyway, this is flagged for the experts. Hopefully they’ll be along soon.

Ann

Sumit_Singh2 · March 5, 2026, 7:39am

Hi Team,

any update on this?

Topic		Replies	Views
Taint analysis for js takes long time SonarQube Server / Community Build sonarqube	3	64	July 23, 2025
Taint analysis for js takes long time SonarQube Server / Community Build sonarqube , taint-analysis , js	1	65	May 9, 2025
Taint analysis for js slowed down SonarQube Server / Community Build	9	164	April 30, 2025
Slow JS analysis for large project SonarQube Server / Community Build performance , security	4	109	December 19, 2024
Taint Analysis for Javascript/Typescript project code is taking long (> 1 hour) SonarQube Cloud javascript , sonarqube-cloud	7	746	May 2, 2024

Taint analysis for JS repo takes long time

Related topics