Taint analysis for JS repo takes long time

Sumit_Singh2 · February 12, 2026, 6:07am

Hi team,

We’ve been facing a persistent issue with JS taint analysis in SonarQube.

One of our repositories takes over an hour to complete the scan and even started taking 24 hours after which we reverted some of the code, while other repositories finish within 1–2 minutes.

We are running SonarQube Developer Edition v2025.4.1 via Helm on Kubernetes, and we’ve already tried the following steps:
• I have raised a community support earlier as well for the same repo which was resolved by enabling jasmin sensor and then it used to take 30-40 mins, but it again increased to 60 mins now. link

• Tried increasing heap size where scan is running to 10GB, no difference in scan time

Despite these efforts, the scan time hasn’t improved.

Need help in analyzing why it is taking 60 min now and why taint analysis time increased to 24 hours after 1 new file addition

INFO: Sensor JsSecuritySensorV2 [jasmin]

INFO: JasminAstConsumer is enabled by property

INFO: 202 file(s) will be analysed by SonarJasmin.

INFO: Analysis progress:   9% (20/202 files)

INFO: Analysis progress:  19% (40/202 files)

INFO: Analysis progress:  29% (60/202 files)

INFO: Analysis progress:  39% (80/202 files)

INFO: Analysis progress:  49% (100/202 files)

INFO: Analysis progress:  59% (120/202 files)

INFO: Analysis progress:  69% (140/202 files)

INFO: Analysis progress:  79% (160/202 files)

INFO: Analysis progress:  89% (180/202 files)

INFO: Analysis progress:  99% (200/202 files)

INFO: Sensor JsSecuritySensorV2 [jasmin] (done) | time=3480520ms

ganncamp · February 13, 2026, 4:57pm

Hi,

First, can you try allocating more memory, using sonar.javascript.node.maxspace? A minimum of 4Gb is recommended, but for larger projects you may need more.

HTH,
Ann

Sumit_Singh2 · February 16, 2026, 7:20am

Hi @ganncamp ,

we have already tried increasing heap size upto 12GB but no difference in scan time

here are the latest logs with 8GB:

<sonar.javascript.node.maxspace=8192>

INFO: Configured Node.js --max-old-space-size=8192.

206 file(s) will be analysed by SonarJasmin.
INFO: Analysis progress: 9% (20/206 files)
INFO: Analysis progress: 19% (40/206 files)
INFO: Analysis progress: 29% (60/206 files)
INFO: Analysis progress: 38% (80/206 files)
INFO: Analysis progress: 48% (100/206 files)
INFO: Analysis progress: 58% (120/206 files)
INFO: Analysis progress: 67% (140/206 files)
INFO: Analysis progress: 77% (160/206 files)
INFO: Analysis progress: 87% (180/206 files)
INFO: Analysis progress: 97% (200/206 files)
INFO: Sensor JsSecuritySensorV2 [jasmin] (done) | time=5485067ms

ganncamp · February 17, 2026, 3:03pm

Hi,

Thanks for trying. Can you add -Dsonar.verbose=true to your analysis command line and provide the full log, redacted as necessary?

Thx,
Ann

Sumit_Singh2 · February 23, 2026, 9:30am

Hi @ganncamp

Here are the debug logs:

logs-debug.txt (689.9 KB)

ganncamp · February 23, 2026, 1:41pm

Hi,

Thanks for the log. I need to confirm what I’m seeing here. This looks like a 2-hour jump…?

05:48:29.762 DEBUG: Analyzing /home/jenkins/agent/workspace/EXTRAS/sonarqube-all/sonarqube-all-scanning/src/index.js (24/206)
07:14:30.497 DEBUG: Analyzing /home/jenkins/agent/workspace/EXTRAS/sonarqube-all/sonarqube-all-scanning/src/lifecycle/database/index.js (25/206)

You didn’t do any editing here, right?

And what can you tell me about sonarqube-all/sonarqube-all-scanning/src/index.js?

Thx,
Ann

Sumit_Singh2 · February 24, 2026, 5:21am

Hi @ganncamp ,

yeah it is correct, our taint analysis seems stuck at this file everytime and then completes after 1 - 1.5 hours. it is always the same behaviour

summary of src/index.js

Boots the application: loads configuration (nconf), environment-specific JSON files, and reads several key files.
Initializes core subsystems and instrumentation: error handling, Redis client, authorization middleware, rate limiter, Mongoose (DB), archive DB connection, emailer templates, validator updates, and optional heap profiler.
Starts an HTTP server, registers signal handlers (SIGINT/SIGTERM) and global unhandledRejection logging, and exposes server readiness flags.
Exports createServer and init for tests/consumers.

In short this file will initialize all the dependencies and start the server.

ganncamp · February 24, 2026, 1:20pm

Hi,

How long is this file? Is there a tsconfig.json file in your project? (E.G.)

Thx,
Ann

Sumit_Singh2 · February 25, 2026, 6:07am

Hi,

src/index.js → 179 lines of code for initializing and starting server

and there is no tsconfig.json in the project.

ganncamp · February 25, 2026, 1:23pm

Hi,

Thanks for those details. On the face of it, 179 lines doesn’t seem egregious, but I suppose each of those lines is … heavy.

BTW, I’ve since learned that while having a tsconfig.json can make the regular JS analysis more efficient, it has no impact on the taint analysis pass.

Anyway, this is flagged for the experts. Hopefully they’ll be along soon.

Ann

Sumit_Singh2 · March 5, 2026, 7:39am

Hi Team,

any update on this?

renaud.tognelli · March 12, 2026, 2:59pm

Hi,

My deepest apologies for the delay.

Regarding index.js :

What module system does it use? imports? requires?
Does it contain any dynamic imports (e.g. import or require inside of control flow, such as if-else or loops)?
Does it attempt to perform tricky reflection or instrumentation operations of some sort ?

In your first message, you said adding a file made the analysis time increasing to 24h,
was this file ts or js or something else ? does one of the questions above relate to the added files?

Do you have, by any chance, the capacity to analyse this project on a test server were you could change the analyser version ?

Renaud.

Sumit_Singh2 · March 17, 2026, 9:38am

Hi @renaud.tognelli

Below are the requested info -

What module system does it use? imports? requires? - require
Does it contain any dynamic imports (e.g. import or require inside of control flow, such as if-else or loops)? - no
Does it attempt to perform tricky reflection or instrumentation operations of some sort ? - no

The file we added was a JS file but we removed it due to long scan time, none of the question relates to that added file.

we can create test server but cannot scan using it as we have single License key based on server ID

renaud.tognelli · March 18, 2026, 3:44pm

Hi,

thank you for you answers and taking the time to investigate with us.

Sadly you answers does not allow us to pinpoint the corner case with certainty.

Since 2025.4.1 we did a lot of improvement on JS/TS taint analysis engine, to contain abnormally long analysis times.

Until you can upgrade, one possible workaround is to create a specific Quality profile for this project, for Javascript and Typescript language, with the following rules disabled:

S2076,S2083,S2631,S3649,S5131,S5144,S5146,S5147,S5334,S5696,S5883,S6096,S6105,S6287,S6350

This is not an ideal solution, as it will skip taint analysis analyser.
Note that other SonarJs rules will stay active.

Topic		Replies	Views
Taint analysis for js takes long time SonarQube Server / Community Build sonarqube	3	78	July 23, 2025
Taint analysis for js takes long time SonarQube Server / Community Build sonarqube , taint-analysis , js	1	88	May 9, 2025
Taint analysis for js slowed down SonarQube Server / Community Build	9	218	April 30, 2025
Slow JS analysis for large project SonarQube Server / Community Build performance , security	4	203	December 19, 2024
Taint Analysis for Javascript/Typescript project code is taking long (> 1 hour) SonarQube Cloud javascript , sonarqube-cloud	7	784	May 2, 2024

Taint analysis for JS repo takes long time

Related topics