Tips for speeding up analysis time?

You can check if there are any " -verbosity: level" or "-v: level" flag passed in the msbuild command for your main build

@mickaelcaro No, Please see attached code

    - task: VSBuild@1
        enabled: true
        displayName: 'Sitecore.Website build'
        inputs:
          solution: '**/src/Project/xyz/code/xyz.Sitecore.Website.csproj'
       msbuildArgs:
 '/p:DeployOnBuild=true /p:DeployDefaultTarget=WebPublish /p:WebPublishMethod=FileSystem  /p:publishUrl="$(build.sourcesdirectory)\071DPLY\\" /p:BuildProjectReferences=true /p:DebugSymbols=false /p:DebugType=None /p:outputpath="$(build.sourcesdirectory)\071DOUTFLDR\\"'
          platform: '$(buildPlatform)'
          configuration: '$(buildConfiguration)'

My Azure VMs are in West Europe

See logs attached. sonarcloud_prepareanalysis_msbuild.zip (1.4 MB)

Background task example: AXUiDNT1oV2Q5xcOwqiF, yet this completed in 37s. Just to re-iterate in case I wasn’t clear before, the Prepare Analysis and Run Code Analysis are not my concern, instead my concern is that the MSBuild task is 10x slower when the SonarCloud is enabled.

And to be noted here just to make it clear : We are installing targets file during the Prepare step to hook up into the build step, so there’s definitely an overhead to expect, though 10x time slower is not.

@Olivier_Schmitt @Christophe_Havard @mickaelcaro - I think this would probably helpful in drill down above issue I was reading one of @Olivier_Schmitt comment so its worth sharing

We have 190 Projects right now in the solution and our build time increased as number of projects getting increased I’m suspecting(See below attached image)
was 250k +/- 6 months ago, now is 2250k +/- now

  • the SonarCloud scanner scans every project = 190 analysis to perform
  • each analysis takes 1 minute to scan the code which is quite fast (but can be improved if the scope is reduced to the minimum) = 190 minutes of code analysis. Even with a 30 seconds step, the build time will be multiplied by 8

To validate above theory I just change my build step to contain only one more project which has no reference to other project and it just took 32s Capture

Having said that what would you guys recommend and what should be minimum accepted time for scanning a project

Thanks in advance

Hi @Schumi

Could you please add in your msbuild task the following command :

/p:reportanalyzer=true > build.log 

And post the report (i can PM you if you need) this will allow us to know which rule take the most time to be processed against your code.

Thanks in advance !

@mickaelcaro Thanks, Let me try this. Yes please PM me so that I can share the report with you

Hi @alexvaccaro. It’s not clear to me from this thread if you are in the same team with @Schumi or have a different topic altogether.

RE: msbuild, like @mickaelcaro said, most of our analysis runs during msbuild.

The analysis is done in two steps:

  • during the build - our native Roslyn analyzers are running for most of the rules (~250); also, UCFG files are created for the vulnerability injection analysis which is done in the SonarCloudAnalyze step
  • during the SonarCloudAnalyze step - our security engine runs over the UCFG files to find vulnerabilities - we currently have 12 rules that detect injection vulnerabilities

The msbuild debug logs don’t help that much, we’d need the msbuild /p:reportanalyzer=true > build.log logs. At the end of each project compilation, it will print out a list with each of our rules and how much time it took. Like this we can detect outliers, and also maybe projects that are outliers. We can then advise based on this info.

If you want, we can continue this topic in a private thread , like we did with @Schumi. Or we can continue here.