We are using Sonarqube Server Developer Edition v10.8.1. Until about one week ago, the taint analysis of js in out gitlab pipeline took up to max 30 Seconds. Now it is up to 30 Minutes. Any hint, what the cause could be?
Hi,
This is going to be related to your codebase and/or to the resources available to analysis. Were there major commits a week ago?
Ann
Hi, found the issue, and I see it as a bug in sonarqube.
Old code
let data = fs.readFileSync('/usr/lib/os-release',{ encoding: 'utf8' });
let version = data.match(/VERSION="([^ ]{0,32}).*"/),
name = data.match(/^NAME="(.*)"/m);
Sonarqube check take about 2 minutes for the whole code. But sonarqube recommends the use of regexp.exec, not string.match(regexp).
New Code
let version = /VERSION="([^ ]{0,32}).*"/.exec(data);
let name = /^NAME="(.*)"/m.exec(data);
Works, no sonarqube issues any longer, but adds 20-30 Minutes to the taint analysis of js.
Hi,
Thanks for the snippets. I’ve flagged this for the relevant experts.
Ann
@Udo_Pape-Kampmeier thank you for sharing this. I’ll try to reproduce it and get back to you.
Unfortunately, I was not able to reproduce with a minimal project and the snippets you shared.
Just to be sure, when you say “taint analysis” you mean the js security sensor duration in the logs?
Would you mind sharing logs with me to help investigate? If you prefer we can do that in a private conversation.
Hi Karim,
I have copied the relevant lines from the gitlab pipelin output running the scanner. If you need more, let me know,
Here it took about 15 Minutes.
09:41:44.770 INFO Taint analysis for js: Starting
09:41:45.400 INFO 0 / 7792 UCFGs simulated, memory usage: 556 MB
09:41:46.082 INFO 91 / 7792 UCFGs simulated, memory usage: 257 MB
09:41:46.329 INFO 151 / 7792 UCFGs simulated, memory usage: 569 MB
09:41:54.249 INFO 499 / 7792 UCFGs simulated, memory usage: 674 MB
09:41:58.163 INFO 801 / 7792 UCFGs simulated, memory usage: 721 MB
09:42:20.173 INFO 1149 / 7792 UCFGs simulated, memory usage: 973 MB
09:43:06.332 INFO 1341 / 7792 UCFGs simulated, memory usage: 1981 MB
09:43:09.988 INFO 1701 / 7792 UCFGs simulated, memory usage: 661 MB
09:43:52.181 INFO 1874 / 7792 UCFGs simulated, memory usage: 2091 MB
09:44:28.894 INFO 2205 / 7792 UCFGs simulated, memory usage: 870 MB
09:44:31.997 INFO 2546 / 7792 UCFGs simulated, memory usage: 993 MB
09:44:34.955 INFO 3067 / 7792 UCFGs simulated, memory usage: 884 MB
09:44:40.880 INFO 3433 / 7792 UCFGs simulated, memory usage: 479 MB
09:44:44.047 INFO 3829 / 7792 UCFGs simulated, memory usage: 835 MB
09:44:55.785 INFO 4125 / 7792 UCFGs simulated, memory usage: 1587 MB
09:45:00.322 INFO 4478 / 7792 UCFGs simulated, memory usage: 450 MB
09:45:34.606 INFO 4480 / 7792 UCFGs simulated, memory usage: 2123 MB
09:46:08.805 INFO 4480 / 7792 UCFGs simulated, memory usage: 1427 MB
09:46:42.972 INFO 4480 / 7792 UCFGs simulated, memory usage: 763 MB
09:47:17.806 INFO 4480 / 7792 UCFGs simulated, memory usage: 2251 MB
09:47:44.466 INFO 4595 / 7792 UCFGs simulated, memory usage: 1035 MB
09:48:46.972 INFO 4595 / 7792 UCFGs simulated, memory usage: 1665 MB
09:49:47.307 INFO 4595 / 7792 UCFGs simulated, memory usage: 2346 MB
09:50:45.599 INFO 4595 / 7792 UCFGs simulated, memory usage: 841 MB
09:51:45.536 INFO 4595 / 7792 UCFGs simulated, memory usage: 1505 MB
09:52:43.649 INFO 4595 / 7792 UCFGs simulated, memory usage: 2178 MB
09:53:41.053 INFO 4595 / 7792 UCFGs simulated, memory usage: 722 MB
09:54:39.205 INFO 4595 / 7792 UCFGs simulated, memory usage: 1338 MB
09:55:36.203 INFO 4595 / 7792 UCFGs simulated, memory usage: 2026 MB
09:56:33.401 INFO 4595 / 7792 UCFGs simulated, memory usage: 571 MB
09:56:56.225 INFO 4729 / 7792 UCFGs simulated, memory usage: 2027 MB
09:56:57.695 INFO 4860 / 7792 UCFGs simulated, memory usage: 1793 MB
09:56:57.696 INFO Taint analysis for js: Time spent was 00:15:12.925
Kind Regards,
Udo
Thank you @Udo_Pape-Kampmeier, for sharing this log excerpt.
To ease investigation it would be helpful if you could share an archive with the content of .scannerwork/ucfg2/js (inside the working directory of the scan) after doing a scan.
If that’s Ok for you, I’ll open a private discussion with you.
1 Like