Hello @Mark_Oueis
I had a look at the logs you gave (thank you!) and found the following interesting information:
17:20:45.085 INFO: Sensor CSharpSecuritySensor [security]
17:20:59.555 INFO: Read 2681 type definitions
17:20:59.591 INFO: Reading UCFGs from: C:\Jenkins\workspace\_DEVOPS-2728-snarqube-build-perf\.sonarqube\out\ucfg_cs2
17:23:52.538 INFO: 17:23:52.538 Building Runtime Type propagation graph
17:23:54.244 INFO: Analyzing 32268 ucfgs to detect vulnerabilities.
17:24:15.296 INFO: All rules entrypoints : 0 Retained UCFGs : 0
17:24:15.300 INFO: Sensor CSharpSecuritySensor [security] (done) | time=210215ms
The injection vulnerability analysis I previously mentioned didn’t actually take place due to some optimizations inside it (there were no entrypoints found in the application).
However, what it took time was actually to read the metadata files we generated for analysis (type information and UCFG files containing the application control flow graph information). This suggests either that:
- you may want to look into optimizing the disk access on your build machines (either hardware or software)
- you may want to look into your antivirus software configuration (and exclude the folder with the source code / where the analysis is done)
And regarding the other report, please bear in mind that we removed (because their performance problems) from the default Quality Profile the following two rules that you have activated:
23.209 9 SonarAnalyzer.Rules.CSharp.UnnecessaryUsings
22.350 8 SonarAnalyzer.Rules.CSharp.CbdeHandlerRule
UnnecessaryUsings is RSPEC-1128 (S1128) and it’s a code smell - you can remove it from the QP if you think it’s not worth the cost. CbdeHandlerRule refers to the rule RSPEC-3949 Calculations should not overflow (S3949), which currently does not have a good cost/benefit ratio in our opinion, hence we removed it from the SonarWay default Quality Profile.
The SymbolicExecutionRunner is running multiple bug-detection rules using the Symbolic Execution technique and we believe they are worth the costs given the benefit they bring.
Regarding this, given that you have in your Quality Profile rules that we removed from the default Quality Profile - your QP may be out of sync with the default one, which means you may not have the latest rules we have been adding - you may want to visit what rules you include in your QP and add the newest ones to benefit from them. We’ve added many vulnerability and security hotspot detection rules in the past year and it would be a pity not to benefit from them.
I hope this helps. Please let us know if you manage to improve your build times.
Thanks,
Andrei