Taint analysis for js takes long time

Sumit_Singh2 · July 3, 2025, 11:51am

Hi team,

We’ve been facing a persistent issue with JS taint analysis in SonarQube for the past 6–8 months. One of our repositories consistently takes over an hour to complete the scan, while other repositories finish within 5–7 minutes.

We are running SonarQube Developer Edition v2025.3 via Helm on Kubernetes at the moment, and we’ve already tried the following steps:
• Increased container memory to 6GB requests / 8GB limits
• Deployed SonarQube on a dedicated instance
• Upgraded to the latest Developer Edition (v2025.3)

Despite these efforts, the scan time hasn’t improved. Upon investigation, we found that the majority of the time is spent during the “Taint analysis for js” phase. Here’s a snippet from the logs:

INFO: Taint analysis for js: Starting
INFO: 0 / 5386 UCFGs simulated, memory usage: 440 MB
INFO: 76 / 5386 UCFGs simulated, memory usage: 370 MB
INFO: 188 / 5386 UCFGs simulated, memory usage: 308 MB
INFO: 291 / 5386 UCFGs simulated, memory usage: 508 MB
INFO: 452 / 5386 UCFGs simulated, memory usage: 813 MB
INFO: 545 / 5386 UCFGs simulated, memory usage: 473 MB
INFO: 586 / 5386 UCFGs simulated, memory usage: 597 MB
INFO: 732 / 5386 UCFGs simulated, memory usage: 909 MB
INFO: 785 / 5386 UCFGs simulated, memory usage: 838 MB
INFO: 891 / 5386 UCFGs simulated, memory usage: 847 MB
INFO: 1085 / 5386 UCFGs simulated, memory usage: 328 MB
INFO: 1211 / 5386 UCFGs simulated, memory usage: 588 MB
INFO: 1237 / 5386 UCFGs simulated, memory usage: 627 MB
INFO: 1237 / 5386 UCFGs simulated, memory usage: 356 MB
INFO: 1237 / 5386 UCFGs simulated, memory usage: 931 MB
INFO: 1245 / 5386 UCFGs simulated, memory usage: 912 MB
INFO: 1245 / 5386 UCFGs simulated, memory usage: 1033 MB
INFO: 1257 / 5386 UCFGs simulated, memory usage: 715 MB
INFO: 1271 / 5386 UCFGs simulated, memory usage: 1986 MB
INFO: 1309 / 5386 UCFGs simulated, memory usage: 1515 MB
INFO: Taint analysis for js: Time spent was 00:46:13.927

We’d appreciate guidance on:
• How we can reduce the taint analysis time
• What might be causing this unusually long scan for this specific repo
• Any tunable settings or exclusions we should consider

Karim_El_Ouerghemmi · July 4, 2025, 9:43am

Hey @Sumit_Singh2,

thank you for sharing with us.

A new JS taint analyzer that will hopefully provide a better experience will be included in one of the next SQS releases so things might change soon.

In the meantime, we can have a look if there is a workaround like excluding certain files in your situation. For this we would need you to share the content of .scannerwork/ucfg2 from inside the project after a scan is done with us.
I’ll initiate a private discussion with you for the case you want to share this.

Best,
Karim.

Topic		Replies	Views
Taint analysis for js takes long time SonarQube Server / Community Build sonarqube , taint-analysis , js	1	33	May 9, 2025
Taint analysis for js slowed down SonarQube Server / Community Build	9	107	April 30, 2025
Slow JS analysis for large project SonarQube Server / Community Build performance , security	4	66	December 19, 2024
Disable Taint Analysis SonarQube Cloud	5	642	April 21, 2024
Sonarqube analyze taking very long SonarQube Server / Community Build coverage	8	105	November 19, 2024

Taint analysis for js takes long time

Related topics