Trying to scan our second project which is kind off a fork from our other project, but it’s analysis fails. Could you perhaps comment?
Github
PHP
Hi @JimHarders,
Let me get back to you privately with details of the errors I can see
Regards,
@AlxO
Hey I removed the files that were crashing the scan from the repository, but the scan failed again, this time with the following analysis ID: “AXK8Y1pYig889G8QKMAa”.
I removed that file as well and got the same error now code is: AXK9BNHGjMiYP-15Tbfq
Also removed sales related article, the sanner doesn’t seem to like files ending on /* … code. …
new error code is: “AXK-FbtJdvqZJEmh3wzR”
Thanks for your patience @JimHarders.
It seems we’re running into an issue with rule S3649.
Could you please try with a modified quality profile for your project and see if that unblocks the situation?
that looks like a very important rule to me, one of the two reasons for which we are working with Sonar. For PHP there are only 2 other profiles PSR-2 and Drupal. Drupal doesn’t sound right I can try selecting PSR-2 i guess but what do these profiles mean?
It does work using PSR-2 however it now lists no vulnarebilitys anymore as such its kind of useless for the security initiative we took sonarcloud for. I changed the profile back again to sonarcloud default. And scanning again. In case it fails I really need the fule fixed, or pointed out where the rule fails.
It failed again at: AXLBZXAW4AOGh3kp4VED
Absolutely Jim,
Thanks for the feedback. My goal here was to narrow down the issue only.
If there’s an issue with this particular rule, we want to understand why and find the solution for it.
Give me some time to figure out our next steps.
Thanks!
Hi,
We investigated the problem. It seems the analysis crashes, because in our execution environment the 3GB memory is not enough for our security analyzer. We are aware of the issue and we will improve it over time.
For now, we don’t have a good solution to offer for your use case. Here’s anyway what you can try:
- Disable the PHP rules from the rule repository named “Security SonarAnalyzer”
or
- Run the analysis on another CI system that let’s you allocate more memory than 3GB for the scanner
We are working on a more acceptable solution.
Best,
Nils
1 Like
Is there any way we could otherwise split the REPO up into two parts on your end where we would read in half the repo in one “organization” and the other half in another “organization”. We should be able to set file exclusions for 1 half of the repo vs other half of the repo right? Also do you have an idea how far it’s gotten in the analysis, to have an idea on if it’s at 99% or at 50%?
If you are concerned about SonarCloud finding security vulnerabilities, it is not recommended that you reduce the size of the project, or exclude parts of it. These parts can be relevant to security analysis since control flows can run across your entire application. These control flows are used for the security analysis. If you now remove parts of these flows, possible vulnerabilities are no longer identified.
Unfortunately, PHP security analysis and autoscan do not go well together at the moment. We are working on a solution.
If all results of the security analysis are important to you, you should switch to another CI tool and not use the autoscan.
You can also disable individual security analysis checks instead of disabling them all as described in my previous answer. Besides the standard profiles like “Sonar way”, PSR-2 and Drupal, you can also create a profile where you select which rules/checks are executed. https://docs.sonarqube.org/latest/instance-administration/quality-profiles/. If you only use rules that are relevant for you, the scan can be run without exceeding the memory limit and you will get your desired result.
I think that might be a better approach to continue with the autoscan than to minimize the project unnaturally.
I talked to the lead architect, would it be possible to convert our paid solution into sonarqube so we can host the scanner on an AWS instance of our own?
Hello @JimHarders,
You do not need to use SonarQube to host the scanner yourself.
You are currently using a feature called “Automatic Analysis” that allows you to not run the scanner yourself, but it is automatically invoked by us on our infrastructure. It is however possible to run the scanner yourself on whichever platform you prefer. Usually people run the scanner as part of their CI pipeline.
You will find more information on how to configure this when you navigate to Administration > Analysis method on the project overview on SonarCloud.
Hope that helps!
Ok thanks 
I also played a lot with the inclusion / exclusion of files, for now i’ve excluded around 30 articles and it doesn’t run out of memory. We’ll be removing some unused files and should hopefully also fit within the automatic scanner 3GB limit again in the near future.
Hi @JimHarders,
We have mitigated some issues at our side. If you would like to, you may want to retry the Automatic Analysis option. Let me know!