Taint analysis for js takes long time

Hi team,

We’ve been facing a persistent issue with JS taint analysis in SonarQube for the past 6–8 months. One of our repositories consistently takes over an hour to complete the scan, while other repositories finish within 5–7 minutes.

We are running SonarQube Developer Edition v2025.3 via Helm on Kubernetes at the moment, and we’ve already tried the following steps:
• Increased container memory to 6GB requests / 8GB limits
• Deployed SonarQube on a dedicated instance
• Upgraded to the latest Developer Edition (v2025.3)

Despite these efforts, the scan time hasn’t improved. Upon investigation, we found that the majority of the time is spent during the “Taint analysis for js” phase. Here’s a snippet from the logs:

INFO: Taint analysis for js: Starting
INFO: 0 / 5386 UCFGs simulated, memory usage: 440 MB
INFO: 76 / 5386 UCFGs simulated, memory usage: 370 MB
INFO: 188 / 5386 UCFGs simulated, memory usage: 308 MB
INFO: 291 / 5386 UCFGs simulated, memory usage: 508 MB
INFO: 452 / 5386 UCFGs simulated, memory usage: 813 MB
INFO: 545 / 5386 UCFGs simulated, memory usage: 473 MB
INFO: 586 / 5386 UCFGs simulated, memory usage: 597 MB
INFO: 732 / 5386 UCFGs simulated, memory usage: 909 MB
INFO: 785 / 5386 UCFGs simulated, memory usage: 838 MB
INFO: 891 / 5386 UCFGs simulated, memory usage: 847 MB
INFO: 1085 / 5386 UCFGs simulated, memory usage: 328 MB
INFO: 1211 / 5386 UCFGs simulated, memory usage: 588 MB
INFO: 1237 / 5386 UCFGs simulated, memory usage: 627 MB
INFO: 1237 / 5386 UCFGs simulated, memory usage: 356 MB
INFO: 1237 / 5386 UCFGs simulated, memory usage: 931 MB
INFO: 1245 / 5386 UCFGs simulated, memory usage: 912 MB
INFO: 1245 / 5386 UCFGs simulated, memory usage: 1033 MB
INFO: 1257 / 5386 UCFGs simulated, memory usage: 715 MB
INFO: 1271 / 5386 UCFGs simulated, memory usage: 1986 MB
INFO: 1309 / 5386 UCFGs simulated, memory usage: 1515 MB
INFO: Taint analysis for js: Time spent was 00:46:13.927

We’d appreciate guidance on:
• How we can reduce the taint analysis time
• What might be causing this unusually long scan for this specific repo
• Any tunable settings or exclusions we should consider

Hey @Sumit_Singh2,

thank you for sharing with us.

A new JS taint analyzer that will hopefully provide a better experience will be included in one of the next SQS releases so things might change soon.

In the meantime, we can have a look if there is a workaround like excluding certain files in your situation. For this we would need you to share the content of .scannerwork/ucfg2 from inside the project after a scan is done with us.
I’ll initiate a private discussion with you for the case you want to share this.

Best,
Karim.

1 Like