joern icon indicating copy to clipboard operation
joern copied to clipboard
verified publisher icon joernio

[Bug] Joern-Scan Timeout Issue on PHP CVE Repositories

Open samhsu-dev opened this issue 1 year ago • 0 comments

Overview

We encountered a significant issue while analyzing 312 PHP repositories containing vulnerabilities referenced in CVE reports using joern-scan. Despite setting a 2-hour timeout per repository, approximately 90% of the scans exceeded this limit, resulting in incomplete analyses.

Steps to Reproduce

  1. Download 312 PHP repositories with versions corresponding to CVE reports.
  2. Execute joern-scan on each repository with a 2-hour timeout per analysis.
  3. Observe that the majority of scans do not complete within the allocated time.

Expected Behavior

  • joern-scan should complete the analysis within the 2-hour timeout per repository.
  • The tool should efficiently process PHP repositories without excessive runtime.

Observed Behavior

  • ~90% of repositories exceed the timeout, leading to failed or incomplete analyses.
  • No clear error messages explaining why the analysis takes longer than expected.

Questions for the Joern Team

  1. Is this expected behavior?

    • Should joern-scan take this long for large PHP repositories?

  2. Are there recommended configurations or additional arguments to optimize performance?

    • Are there specific flags or memory settings that could help?

  3. Does Joern have specific best practices for scanning large PHP projects?

    • Should we preprocess the repositories before running joern-scan?

System Information

  • Joern Version: 91e69dfc6617bc924ed899aadedfffaefed8096c
  • Java Version: Java 21-tem
  • OS: Ubuntu 20.04 LTS

samhsu-dev avatar Mar 11 '25 22:03 samhsu-dev