hours analyzing JSPs, then running out of memory

Quoting sourceanalyzer's debug support log, lots of time and memory is spent analyzing JSP.  I appreciate the diligence, but why are 32GB not enough to pull through the JSPs?

[2020-10-06 04:04:19.242 DEBUG ]
Taint.FunctionAnalyzer: /jsp/applicationmaintenance/CorpAdminFWFG/CDCIControllerDetails.jsp/CDCIControllerDetails.jsp(1)
MaxFilterIn: -1
MaxFilterOut: -1
logger:com.fortify.sca.analyzer.taint.FunctionAnalyzer marker:DEV thread:TaintAnalyzer-thread-63-209
MDC:{analyzer=TaintAnalyzer, msgId=-1, severity=LOG, sourceFunction=/jsp/applicationmaintenance/CorpAdminFWFG/CDCIControllerDetails.jsp/CDCIControllerDetails
.jsp(/jsp/applicationmaintenance/CorpAdminFWFG/CDCIControllerDetails.jsp), step=TAINT_LOCAL} NDC:[]
[2020-10-06 04:05:48.642 DEBUG ]
visit: /jsp/applicationmaintenance/CorpAdminFWFG/CDCIControllerDetails.jsp/<static>(0) (maxFieldDepth: 5, maxIndirectionLevel: 4, allowArrayIndices: true) (visi
t 1)
logger:com.fortify.sca.analyzer.taint.FunctionAnalyzer marker:DEV thread:TaintAnalyzer-thread-63-209
MDC:{analyzer=TaintAnalyzer, msgId=-1, nstFunction=JSPPAGE._jsp_applicationmaintenance_CorpAdminFWFG._jspCDCIControllerDetails_jsp.clinit^~S, severity=LOG, s
ourceFunction=/jsp/applicationmaintenance/CorpAdminFWFG/CDCIControllerDetails.jsp/<static>(), sourceInfo=CDCIControllerDetails.jsp:1:1, step=TAINT_LOCAL} NDC:[t
imerTaint.FunctionAnalyzer.run]
[2020-10-06 04:05:48.642 WARN 1126]
Scan progress is very slow due to JVM garbage collection, which may indicate low memory or low cpu power allocated for GC. For details on making more memory or
GC resources available, please consult the user manual.
logger:com.fortify.sca.util.ScanMonitor marker:USER thread:ScanMonitor-17
MDC:{msgId=1126, severity=WARNING} NDC:[]
[2020-10-06 04:05:48.642 DEBUG ]
Elapsed: 422741, GC: 422515, Ratio: 0.9994654
logger:com.fortify.sca.util.ScanMonitor marker:DEV thread:ScanMonitor-17
MDC:{msgId=-1, severity=LOG} NDC:[]
[2020-10-06 04:05:02.407 DEBUG ]
Timers: (elapsed 146:59:34)
AliasAnalyzer.FixedPoint: 18:58 [1138805] 18:59 [1139149]
AliasAnalyzer.FlowInsensitive: 00:00 [358] 00:00 [358]
AliasAnalyzer.FlowSensitive: 01:27 [87621] 01:30:01 [5401457]
AliasAnalyzer.Liveness: 01:12:01 [4321209] 01:12:01 [4321209]
AliasAnalyzer.getAliasLocs: 02:09 [129991] 02:09 [129991]
BackEnd.Analyze: 00:00 [68] 146:59:32 [529172172]
BufferAnalyzer: 00:00 [2] 00:00 [28]
CA.visit: 47:32:41 [171161136]54:05:14 [194714737]
CallGraphBuilder: 01:01:04 [3664436] 01:01:11 [3671840]
CallGraphBuilder.ReachingTypes: 13:16 [796552] 20:31 [1231393]
CallGraphBuilder.getAllTargetsForCall: 11:33 [693980] 11:37 [697221]
ConfigFileAnalyzer: 00:00 [7] 00:04 [4049]
ConstantPropagator: 00:10 [10864] 00:17 [17861]
ContentAnalyzer: 00:00 [43] 02:38 [158121]
ContentAnalyzer.getContentXML: 00:20 [20095] 00:20 [20095]
ControlFlow.PathChecker: 16:30 [990690] 06:30:07 [23407079]
ControlFlow.PathChecker.BuildConstraints: 06:50 [410114] 06:50 [410118]
ControlFlow.PathChecker.ConditionPropagator: 05:54:48 [21288566] 05:54:48 [21288580]
ControlFlow.PathChecker.ConvertToCnf: 02:40 [160282] 02:40 [160282]
ControlFlow.PathChecker.SendCnfToSolver: 04:38 [278384] 04:39 [279386]
ControlFlow.PathChecker.solve: 00:42 [42298] 04:38 [278023]
Controlflow.buildResults: 00:00 [631] 00:00 [631]
ControlflowAnalyzer: 13:35:59 [48959723] 13:36:00 [48960354]
EntryPointAnalyzer: 00:00 [0] 02:00:25 [7225933]
InferredConstantResolution: 00:10 [10625] 00:14 [14922]
ModelData.WriteToDatastore: 04:16:09 [15369830] 04:16:09 [15369830]
NSTReader.parse: 03:57 [237899] 03:57 [237899]
NullPointerAnalyzer: 00:00 [2] 00:01 [1001]
PHASE_ONE_TWO: 00:01 [1597] 145:28:48 [523728009]
PHASE_ZERO: 00:06 [6829] 01:30:44 [5444095]
RuleLoad: 00:03 [3504] 00:40 [40494]
RuleLoad.loadCastor: 00:21 [21471] 00:21 [21471]
RuleScript.RunMidAnalysis: 00:00 [10] 00:12 [12458]
RuleScriptInterpreter.RunScripts: 00:01 [1160] 00:15 [15519]
RuleSet.getRulesForFunction: 12:31 [751030] 12:31 [751030]
Script.00B24B80-91F5-4664-AA5B-0E06CE5AB84C: 00:00 [7] 00:00 [7]
Script.056B11B4-488F-4102-A1FF-BA7ED17D2CF5: 00:00 [1] 00:00 [1]
Script.08D49B1C-0F10-44EC-A701-5F9AB0753E92: 00:00 [8] 00:00 [8]
Script.09419C3D-9BC0-4E7B-8E17-D6AD44A378F3: 00:00 [2] 00:00 [2]
Script.09D93C59-75F1-448C-8B37-10D545E435E2: 00:00 [1] 00:00 [1]
Script.0D58F858-6796-44EC-90C2-E0498B15E7FC: 00:00 [4] 00:00 [4]
Script.0E0FD33C-AAD5-45EB-A0D1-D17FF96B4212: 00:00 [2] 00:00 [2]
Script.101D2168-89EF-4102-8CFA-5ED82CF37A30: 00:00 [6] 00:00 [6]
Script.1162F279-0A74-4B38-AF5F-11747C74107D: 00:00 [8] 00:00 [8]
Script.15EDD3AB-0EDB-4095-A0FD-B79BC549B5CC: 00:00 [1] 00:00 [1]
Script.17F90278-B4CF-4D53-B8C4-C5D05C666358: 00:00 [6] 00:00 [6]
Script.196C1E73-8993-4322-B242-FFDF94718CDA: 00:00 [1] 00:00 [1]
Script.1F785C9F-D04E-49D1-81C0-E0592A85D8A0: 00:00 [3] 00:00 [3]
Script.23ECDD89-57AE-4D6B-A5D2-C67B323F9AB2: 00:00 [3] 00:00 [3]
Script.257082C6-B89B-4AC2-BA50-C457B339720C: 00:00 [2] 00:00 [2]
Script.260C061D-F3F9-42FB-A118-5A2AD5FA84A4: 00:00 [10] 00:00 [10]
Script.2787D80B-01E1-493F-BE01-2B537D546C72: 00:00 [7] 00:00 [7]
Script.28197F4C-0579-4799-891B-0AF05784EAE5: 00:00 [8] 00:00 [8]
Script.2A95FAB4-5070-45C9-A1CB-DCBAA7F02020: 00:00 [2] 00:00 [2]
Script.2B42292E-4694-465E-BC12-40FB19E5FED6: 00:00 [6] 00:00 [6]
Script.2D73FEBA-505D-425F-B538-8DE7EDCD06EE: 00:00 [9] 00:00 [9]
Script.3239454B-DD39-4174-915C-48DEFCAF5D90: 00:00 [3] 00:00 [3]
Script.3390C469-E9A2-46F9-9323-469AD3096AE7: 00:00 [8] 00:00 [8]
Script.371AD358-B71C-4375-AB55-4633E9896234: 00:00 [1] 00:00 [1]
Script.3DEE4C09-8617-4F17-ADA3-145189BE354F: 00:00 [9] 00:00 [9]
Script.3FF9D966-D1C3-481C-87EB-52675531635D: 00:00 [9] 00:00 [9]
Script.436A9149-5962-494C-BF87-0EA6143E3BAE: 00:00 [1] 00:00 [1]
Script.43B34F1C-DBE0-4B58-A5C7-96C91F69B26D: 00:00 [1] 00:00 [1]
Script.475B2085-4E81-46D1-A614-758992F8977F: 00:00 [11] 00:00 [11]
Script.4B3CA71B-E847-4D30-8AE3-D7138B40BD3C: 00:00 [7] 00:00 [7]
Script.4D9302DC-D851-4DD2-A1AB-57A81904BE32: 00:00 [6] 00:00 [6]
Script.5859C362-66D0-466A-BD81-F2393EA5D4C8: 00:00 [2] 00:00 [2]
Script.5C13813D-CDA8-43AB-88DE-8E802CDB2F8A: 00:00 [2] 00:00 [2]
Script.5D353D96-765C-469D-887F-EE306F52F6D6: 00:00 [9] 00:00 [9]
Script.6069D405-0D29-4216-8B1A-D76B670651FE: 00:00 [2] 00:00 [2]
Script.62768569-FF0A-4F87-B200-F7C9B44CCF07: 00:00 [1] 00:00 [1]
Script.627CAAD9-A5C5-4A89-9767-1863A1C96E80: 00:00 [7] 00:00 [7]
Script.651F4616-86B6-4A2D-B61F-6711CE645E51: 00:00 [2] 00:00 [2]
Script.651F4616-86B6-4A2D-B61F-6881CE645E52: 00:00 [10] 00:00 [10]
Script.677D2080-3B0D-4D58-A50C-445B909AA4D4: 00:00 [7] 00:00 [7]
Script.67F5CED0-A51C-42D7-A789-FFF952F58C49: 00:00 [1] 00:00 [1]
Script.6C3BD6EB-FB68-41F8-806C-480AA634B38C: 00:00 [11] 00:00 [11]
Script.6F32FF87-B31E-4BC1-9CF1-8FB42AEA70B8: 00:00 [1] 00:00 [1]
Script.708A441A-21A5-4946-887D-E619B559DF70: 00:00 [8] 00:00 [8]
Script.7A9479E8-1C06-4A99-8A1F-2DB4339372E3: 00:00 [2] 00:00 [2]
Script.7CE4A38F-7D10-45C8-83D4-91EE890026BF: 00:00 [1] 00:00 [1]
Script.7DDCF7B6-5C23-48F5-A44A-B6A0E0643058: 00:00 [1] 00:00 [1]
Script.7EFD0691-DA29-4BF5-9265-3B0925F401D9: 00:00 [8] 00:00 [8]
Script.80F5FD42-88D9-4484-B33B-87C53FC350BA: 00:00 [2] 00:00 [2]
Script.83F6E487-70ED-4935-8B68-9E2ED3583F42: 00:00 [2] 00:00 [2]
Script.84AB2435-59CA-461A-BBB5-C81C13049365: 00:00 [3] 00:00 [3]
Script.86C830F3-124D-4063-8C89-EC0502258B08: 00:00 [3] 00:00 [3]
Script.8818735A-08BB-4274-AE6F-3DE087AAE3C0: 00:00 [7] 00:00 [7]
Script.8CD539E5-5D50-43FC-B42D-3335931AEF4B: 00:00 [1] 00:00 [1]
Script.8ECE1D9E-AE40-4AD1-9ECB-6D024DBF8FCA: 00:00 [1] 00:00 [1]
Script.926103B5-C15D-4B75-BBFE-81F2C76FD94C: 00:00 [2] 00:00 [2]
Script.9685FAD3-DC05-4ED5-ACC4-2703ABCD1494: 00:00 [2] 00:00 [2]
Script.968D7977-998A-463C-B13D-ABFA51C3FE69: 00:00 [2] 00:00 [2]
Script.97F49244-47E4-4D93-BBF7-A8A8C666AA09: 00:00 [1] 00:00 [1]
Script.9863A2AA-9F8F-46DE-87EA-71F88DC10F33: 00:00 [1] 00:00 [1]
Script.9D3F788A-1B91-4C4E-9928-B22DD3248EB2: 00:00 [1] 00:00 [1]
Script.<builtin>: 00:00 [576] 00:00 [576]
Script.A2E2B829-1849-4926-8238-C65C10BEA71D: 00:00 [8] 00:00 [8]
Script.A7B775B3-B4D9-4827-A592-3067AA9D3BE5: 00:00 [6] 00:00 [6]
Script.AAB28623-DBF8-4093-B81D-C8E94EA1D56C: 00:00 [1] 00:00 [1]
Script.B1F5D0B0-DE56-42DE-ACD2-B79107F3324D: 00:00 [1] 00:00 [1]
Script.BDBE0325-3C70-47CD-A383-28F9DCF80409: 00:00 [6] 00:00 [6]
Script.BE37E214-0AAC-4A07-98A4-4DB87BC94071: 00:00 [6] 00:00 [6]
Script.BE4C87FF-0F69-4BCE-8A4E-B7C5C6B76524: 00:00 [7] 00:00 [7]
Script.BE8C5359-ED98-4881-9F14-6641C7B1C092: 00:00 [1] 00:00 [1]
Script.C0361CD2-AC7B-4C2D-9C40-2F9B36743671: 00:00 [8] 00:00 [8]
Script.C057726E-D2F1-480D-AF74-73A6A458CBBB: 00:00 [1] 00:00 [1]
Script.C1CD9C8B-FF23-4159-9BBF-DCFDD453C74B: 00:00 [1] 00:00 [1]
Script.C24B9361-E794-4B07-ACDF-0799F72175CF: 00:00 [6] 00:00 [6]
Script.C9DF7CB8-9949-4687-8E2C-D29C97800A1E: 00:00 [10] 00:00 [10]
Script.CB988795-AEF8-4681-ABBA-A9C1BB4E0528: 00:00 [6] 00:00 [6]
Script.CE8233A1-2024-45EF-9554-D267D818E6FA: 00:00 [1] 00:00 [1]
Script.CFBB981E-9DC8-467F-8856-B5BA230209EE: 00:00 [1] 00:00 [1]
Script.D534F2AC-B993-479E-9032-DFEA8CBCFDF2: 00:00 [2] 00:00 [2]
Script.D6937655-D8A5-4963-8AC0-0BF9105299C8: 00:00 [7] 00:00 [7]
Script.D732C017-EFE7-4318-8351-12C9CF280AB0: 00:00 [1] 00:00 [1]
Script.D9687AA6-AC13-49E6-A28E-6B3C0D16FFAD: 00:00 [15] 00:00 [15]
Script.DA628366-APF1-4D37-879F-7B8F53FF24C1: 00:00 [9] 00:00 [9]
Script.DA628366-FBE1-4D37-879F-7B8F53FF24C1: 00:00 [8] 00:00 [8]
Script.DA6F3C64-0A25-40E5-AD59-85968AEC9EF0: 00:00 [1] 00:00 [1]
Script.DEB0C2A5-4412-48EB-82C9-BF250426345C: 00:00 [8] 00:00 [8]
Script.DEDB1755-5DD8-4316-88C7-9FEC2A7E5E39: 00:00 [1] 00:00 [1]
Script.E4638D3A-54AC-43D6-AB63-2E77433266C6: 00:00 [8] 00:00 [8]
Script.E8885AA6-C967-490A-B4DF-5F4692EF6BF5: 00:00 [1] 00:00 [1]
Script.EA3363CC-69F3-4798-8F6F-81171C9B0308: 00:00 [1] 00:00 [1]
Script.EBF17005-3D9D-4E79-8C20-EDC08F170908: 00:00 [1] 00:00 [1]
Script.EDFB80D0-A2F0-494F-A7EF-074F910C0384: 00:00 [9] 00:00 [9]
Script.EEE0A367-5CB4-4EFD-A04B-85FA7F388853: 00:00 [1] 00:00 [1]
Script.EF56638C-726C-4A6F-BF57-2CF912F8E031: 00:00 [2] 00:00 [2]
Script.F040A1E6-DE66-4E04-96D7-A2FF0EC2EE89: 00:00 [7] 00:00 [7]
Script.F11B4967-48B2-49B2-9B91-C6431E4E4B1B: 00:00 [2] 00:00 [2]
Script.F3081042-02F4-4F46-9F1B-0DDC9258C6EB: 00:00 [2] 00:00 [2]
Script.F4521484-9529-487B-8C73-83BF9E95F35D: 00:00 [2] 00:00 [2]
Script.F84704B7-D0BD-4B72-85AA-52BA08907095: 00:00 [3] 00:00 [3]
Script.FCC143C7-A4E3-4647-BF1A-83A2224F7154: 00:00 [1] 00:00 [1]
Script.GWT_labeling: 00:00 [1] 00:00 [1]
Script.JavaJMX: 00:00 [7] 00:00 [7]
Script.LabelingXMLMappedClasses: 00:00 [8] 00:00 [8]
Script.Spring3Labeling: 00:00 [19] 00:00 [19]
Script.Spring_EL_resolution: 00:00 [47] 00:00 [47]
Script.XStreamLabel: 00:00 [10] 00:00 [10]
Script.addAxisWSDDWebServiceEntryPoints: 00:00 [16] 00:00 [16]
Script.addAxisWebServiceEntryPoints: 00:00 [20] 00:00 [20]
Script.addDefaultBlazeDSEntryPoints: 00:00 [10] 00:00 [10]
Script.addLabellToFieldUtil: 00:00 [1] 00:00 [1]
Script.addSpringBlazeDSEntryPoints: 00:00 [2] 00:00 [2]
Script.adf: 00:00 [20] 00:00 [20]
Script.android: 00:00 [13] 00:00 [13]
Script.android_callbacks: 00:00 [3] 00:00 [3]
Script.android_js_bridge: 00:00 [2] 00:00 [2]
Script.android_labels: 00:00 [8] 00:00 [8]
Script.android_layout: 00:00 [18] 00:00 [18]
Script.android_lib: 00:00 [22] 00:00 [22]
Script.android_map_or: 00:00 [28] 00:00 [28]
Script.android_optional_permissions_map: 00:00 [2] 00:00 [2]
Script.android_permissions_map: 00:00 [80] 00:00 [80]
Script.android_permissions_map_extra: 00:00 [18] 00:00 [18]
Script.android_permissions_map_fortify: 00:00 [1] 00:00 [1]
Script.android_permissions_or_simple: 00:00 [8] 00:00 [8]
Script.android_persist: 00:00 [6] 00:00 [6]
Script.android_protected_actions: 00:00 [1] 00:00 [1]
Script.android_standard_activity_actions: 00:00 [1] 00:00 [1]
Script.android_standard_receiver_actions: 00:00 [7] 00:00 [7]
Script.androidprivilegeperms: 00:00 [6] 00:00 [6]
Script.angular_ngCookie_check_init: 00:00 [12] 00:00 [12]
Script.angular_sce_check_init: 00:00 [19] 00:00 [19]
Script.angular_xsrf_check_init: 00:00 [13] 00:00 [13]
Script.csr_library: 00:00 [30] 00:00 [30]
Script.dependencies: 00:00 [33] 00:00 [33]
Script.dependency_lib: 00:00 [7] 00:00 [7]
Script.dwr: 00:00 [18] 00:00 [18]
Script.expressjs_mime_sniffing_check: 00:00 [32] 00:00 [32]
Script.f4d2a07a-7200-49e2-b54b-67e4287c11c9: 00:00 [1] 00:00 [1]
Script.faces_config: 00:00 [10] 00:00 [10]
Script.hibernate: 00:00 [2] 00:00 [2]
Script.hibernateLabeling: 00:00 [7] 00:00 [7]
Script.init: 00:01 [1551] 00:11 [11770]
Script.init_midAnalysisScripts: 00:00 [1] 00:00 [1]
Script.init_preAnalysisScripts: 00:00 [9] 00:00 [9]
Script.java_scripting_library: 00:00 [36] 00:00 [36]
Script.javascript_lib_script: 00:00 [19] 00:00 [19]
Script.jsf: 00:00 [876] 00:00 [876]
Script.jsf_persist: 00:00 [1] 00:00 [1]
Script.jsf_version_persist: 00:00 [1] 00:00 [1]
Script.label_spring_commandclasses: 00:00 [7] 00:00 [7]
Script.logger: 00:00 [3] 00:00 [3]
Script.managed_beans_config: 00:00 [80] 00:00 [80]
Script.midScriptUtil: 00:01 [1113] 00:10 [10989]
Script.mid_spring_boot_script: 00:00 [47] 00:00 [47]
Script.mybatis_mapper_label: 00:00 [11] 00:00 [11]
Script.oa_framework: 00:00 [194] 00:00 [194]
Script.oa_framework_util: 00:00 [3] 00:00 [3]
Script.process_aws_sam_files: 00:00 [13] 00:00 [13]
Script.queryMetaTable: 00:00 [9] 00:00 [9]
Script.recursiveLabeling: 00:00 [1] 00:00 [1]
Script.resources/rulescript_init.js: 00:00 [425] 00:00 [425]
Script.rest_mass_assignment: 00:00 [4] 00:00 [4]
Script.scripting_library: 00:00 [50] 00:00 [50]
Script.spring: 00:00 [30] 00:00 [30]
Script.springRFD: 00:00 [9] 00:00 [9]
Script.spring_csr_library: 00:00 [26] 00:00 [26]
Script.spring_data: 00:00 [19] 00:00 [19]
Script.spring_mass_assignment: 00:00 [8] 00:00 [8]
Script.spring_validation: 00:00 [24] 00:00 [24]
Script.storeObjectsForMidScripts: 00:00 [5] 00:00 [5]
Script.struts1: 00:00 [309] 00:00 [309]
Script.struts1_config: 00:00 [10] 00:00 [10]
Script.struts1_config_helper: 00:00 [3] 00:00 [3]
Script.struts1_persist_validated_fields: 00:00 [7] 00:00 [7]
Script.struts1_util: 00:00 [1] 00:00 [1]
Script.struts1_validated_fields: 00:00 [7] 00:00 [7]
Script.struts2: 00:00 [130] 00:00 [130]
Script.struts2_CVE-2017-9791: 00:00 [6] 00:00 [6]
Script.struts2_OGNL_resolution: 00:00 [10] 00:00 [10]
Script.struts2_config: 00:00 [5] 00:00 [5]
Script.struts2_persist_validated_fields: 00:00 [1] 00:00 [1]
Script.struts2_util: 00:00 [1] 00:00 [1]
Script.struts2_validated_fields: 00:00 [6] 00:00 [6]
Script.struts2_validators: 00:00 [11] 00:00 [11]
Script.struts_mass_assignment: 00:00 [4] 00:00 [4]
Script.util: 00:00 [13] 00:00 [13]
Script.yaml_parser: 00:00 [50] 00:00 [50]
SemanticAnalyzer: 00:00 [4] 01:24 [84757]
Solver.ZE.packarray: 00:01 [1002] 00:01 [1002]
Solver.ZE.synccom: 03:55 [235725] 03:55 [235725]
Sourceanalyzer.Run: 00:00 [330] 146:59:32 [529172502]
SsiGen.Generic.run: 21:53 [1313025] 21:53 [1313025]
SsiGen.StringFragment.run: 20:59 [1259243] 20:59 [1259243]
SsiGen.Taint SSI Builder.run: 01:20:06 [4806773] 01:43:16 [6196498]
Structural.Complete: 01:14 [74636] 01:14 [74738]
Structural.FunMeta: 06:11:36 [22296522] 06:11:36 [22296524]
Structural.TypeMeta: 00:00 [102] 00:00 [102]
StructuralAnalyzer: 00:00 [185] 01:34:19 [5659436]
Taint.FA.Builder: 505:36:40 [1820200377]507:12:21 [1825941828]
Taint.FA.visit: 02:21:26 [8486835] 02:31:38 [9098348]
Taint.FunctionAnalyzer.filter: 00:44 [44158] 00:44 [44158]
Taint.FunctionAnalyzer.run: 01:26 [86038] 511:28:42 [1841322737]
TaintAnalyzer: 128:13:52 [461632733]128:13:52 [461632733]
ThreadPool.Annotations.Pass1: 00:00 [6] 00:00 [6]
ThreadPool.Annotations.Pass2: 00:00 [7] 00:00 [7]
ThreadPool.BufferAnalyzer: 00:00 [26] 00:00 [26]
ThreadPool.CallGraphBuilder: 15:22 [922727] 15:22 [922727]
ThreadPool.CallTargets: 01:27 [87714] 01:27 [87714]
ThreadPool.ConfigFileAnalyzerXml: 00:04 [4042] 00:04 [4042]
ThreadPool.ConstantPropagation.Initial: 00:05 [5099] 00:05 [5099]
ThreadPool.ConstantPropagation.Visits: 00:01 [1898] 00:01 [1898]
ThreadPool.ContentAnalyzer: 02:38 [158078] 02:38 [158078]
ThreadPool.EntryPointAnalyzer: 02:00:25 [7225933] 02:00:25 [7225933]
ThreadPool.FunctionComplexityMetrics: 00:02 [2249] 00:02 [2249]
ThreadPool.FunctionModel: 00:42 [42740] 00:42 [42740]
ThreadPool.FunctionReset: 06:13 [373209] 06:13 [373209]
ThreadPool.InferredConstants.Sorting: 00:04 [4297] 00:04 [4297]
ThreadPool.LexerWork: 00:00 [308] 00:00 [308]
ThreadPool.NameTableLoad: 10:26 [626131] 10:26 [626131]
ThreadPool.NstTransformer: 49:47 [2987524] 49:47 [2987524]
ThreadPool.NullPointerAnalyzer: 00:00 [999] 00:00 [999]
ThreadPool.ReachingTypes: 05:08 [308896] 05:08 [308896]
ThreadPool.SemanticAnalyzer: 01:24 [84753] 01:24 [84753]
ThreadPool.StructuralAnalyzer: 01:33:04 [5584513] 01:33:04 [5584513]
TypeInference.Initialize: 00:00 [20] 00:00 [20]

Counters:
CallGraphBuilder.getAllTargetsForCall: 6,900,029
CallGraphBuilder.visits: 2,623
ConstantProp.Final.QueuedTasks: 0
ConstantProp.Final.RunningTasks: 0
ConstantProp.Propagate.QueuedTasks: 0
ConstantProp.Propagate.RunningTasks: 0
ControlFlow.BasicBlockVisits: 152,290
ControlFlow.spawningBindingMaps: 10,371
Controlflow.TooComplex.Time: 308
ControlflowAnalyzer.QueuedTasks: 0
ControlflowAnalyzer.RunningTasks: 0
GeneratedFunctionProfile.passthroughs: 59
GeneratedFunctionProfile.passthroughsDepth: 65
GeneratedFunctionProfile.sinks: 4,314
GeneratedFunctionProfile.sinksDepth: 4,314
GeneratedFunctionProfile.sources: 8
GeneratedFunctionProfile.sourcesDepth: 8
MapOperations.Skipped: 1
NST Deserializations: 20,594
NST Serializations: 19,003
PathChecker.calls.Vuln: 12,300
PhaseOneUniverse: 2,623
SemanticAnalyzer.issues: 6
SemanticFunctionVisits: 2,623
Solver.ZC.sat: 12,289
Solver.ZE.startCall: 82,231
Solver.ZE.write.buffer: 54,670
StatefulAnalyzer.functionVisits: 2,623
StatefulAnalyzer.issues: 27
StatefulVuln.discarded: 11,703
StatefulVulnLowLevel: 24,704
StructuralAnalyzer.funMetaVisits: 2,623
StructuralAnalyzer.issues: 53
StructuralAnalyzer.typeMetaVisits: 1,759
Taint.FunctionAnalyzer.run: 1,896
Taint.writeIssueData: 205
Taint.writeProfileData: 220
Taint.writeStructuralMatchData: 1,890
TaintAnalyzer.QueuedTasks: 744
TaintAnalyzer.RunningTasks: 4
addZChaffClause: 5,560
NameTable.types: 1,759
NameTable.typesByName: 1,759
NameTable.funs: 3,764
NameTable.storage: 479

Heap: [free:] 1,530,432,144 [max:] 20,830,486,528 [total:] 20,830,486,528
Live NST: [VarDecl:] 388 [FunDecl:] 1105
NST Serializer: queued: 0 pinned: 25
Task information
Completed count: 18,060
Completed time (ms): 2,040,717,835
Longest tasks (ms):
54,948,932 : [TaintAnalyzer]: JSPPAGE._jsp_applicationmaintenance_CorpAdminFWFG._jspCurrencyWorkingDaysDetails_jsp._jspService~
53,299,300 : [TaintAnalyzer]: JSPPAGE._jsp_applicationmaintenance_CorpAdminFWFG._jspCurrencyParameters_jsp._jspService~
51,542,203 : [TaintAnalyzer]: JSPPAGE._jsp_applicationmaintenance_CorpAdminFWFG._jspCurrencyWorkingDays_jsp._jspService~
47,126,408 : [TaintAnalyzer]: JSPPAGE._jsp_applicationmaintenance_CorpAdminFWFG._jspDataCenterDetails_jsp._jspService~
43,174,157 : [TaintAnalyzer]: JSPPAGE._jsp_applicationmaintenance_CorpAdminFWFG._jspDataCenter_jsp._jspService~
39,017,325 : [TaintAnalyzer]: JSPPAGE._jsp_applicationmaintenance_CorpAdminFWFG._jspErrorCodeDetails_jsp._jspService~
38,892,437 : [TaintAnalyzer]: JSPPAGE._jsp_applicationmaintenance_CorpAdminFWFG._jspErrorCodes_jsp._jspService~
37,001,948 : [TaintAnalyzer]: JSPPAGE._jsp_applicationmaintenance_CorpAdminFWFG._jspEventMaintenanceDetails_jsp._jspService~
35,476,202 : [TaintAnalyzer]: JSPPAGE._jsp_applicationmaintenance_CorpAdminFWFG._jspCurrencyParametersDetails_jsp._jspService~
34,718,545 : [TaintAnalyzer]: JSPPAGE._jsp_applicationmaintenance_CorpAdminFWFG._jspEvent_jsp._jspService~
32,787,143 : [TaintAnalyzer]: JSPPAGE._jsp_applicationmaintenance_CorpAdminFWFG._jspExchangeRatesDetails_jsp._jspService~
32,530,148 : [TaintAnalyzer]: JSPPAGE._jsp_applicationmaintenance_CorpAdminFWFG._jspExchangeRates_jsp._jspService~
31,064,639 : [TaintAnalyzer]: JSPPAGE._jsp_applicationmaintenance_CorpAdminFWFG._jspFieldMaintenanceDetails_jsp._jspService~
30,002,702 : [TaintAnalyzer]: JSPPAGE._jsp_applicationmaintenance_CorpAdminFWFG._jspLanguagesDetails_jsp._jspService~
29,259,780 : ** running ** [TaintAnalyzer]: JSPPAGE._jsp_applicationmaintenance_CorpAdminFWFG._jspCurrencyHolidays_jsp._jspService~

[..]

[2020-10-06 04:05:48.650 DEBUG ]
Taint.FunctionAnalyzer: /jsp/applicationmaintenance/CorpAdminFWFG/CDCIControllerDetails.jsp/<static>(0)
MaxFilterIn: -1
MaxFilterOut: -1
logger:com.fortify.sca.analyzer.taint.FunctionAnalyzer marker:DEV thread:TaintAnalyzer-thread-63-209
MDC:{analyzer=TaintAnalyzer, msgId=-1, severity=LOG, sourceFunction=/jsp/applicationmaintenance/CorpAdminFWFG/CDCIControllerDetails.jsp/<static>(), step=TAINT_LOCAL} NDC:[]
[2020-10-06 04:05:48.661 WARN 20701]
AsynchronousSerializer got OutOfMemoryError. Falling back to synchronous mode.
logger:com.fortify.sca.util.serialization.BasicSerializer marker:USER thread:AsynchronousSerializer for ModelData.WriteToDatastore-thread-2-148
MDC:{msgId=20701, prefix=, severity=INTERNAL_WARNING, stderr=true} NDC:[]

Parents
  • Please try the following Fortify SCA setting to see that helps with the memory issue. If you are still experiencing memory issues please open a new case and supply a copy of the debug SCA logs using the following arguments eg -debug -logfile path\filename.log.

    Backup and modify Fortify_SCA_and_Apps_<ver>\Core\config\fortify-sca.properties file and add the following properties,

    #reduce limiters

    com.fortify.sca.limiters.MaxSink=256
    com.fortify.sca.limiters.MaxSource=256
    com.fortify.sca.limiters.MaxNodesForGlobal=256

    #disable HOA (High Order Analysis)

    com.fortify.sca.hoa.Enable=false
    com.fortify.sca.Phase0HigherOrder.Level=0
    com.fortify.sca.Phase0HigherOrder.Languages=""

    and leaving a thread for Garbage Collection by configuring the system environment variable "com.fortify.sca.ThreadCount".
    eg sourceanalyzer ... -Dcom.fortify.sca.ThreadCount=<AvailableProcessors - 1>

    where AvailableProcessors can be found by running an initial scan with -debug -logfile path\scan.log and reviewing the scan.log for AvailableProcessors and stop the scan immediately.

    eg

    VM Info
    OperatingSystemMXBean: Windows Server 2012 R2
    Arch: amd64
    AvailableProcessors: 4

    Then rerun the scan with the new thread count.

    eg sourceanalyzer ... -Dcom.fortify.sca.ThreadCount=3 -scan ...

Reply
  • Please try the following Fortify SCA setting to see that helps with the memory issue. If you are still experiencing memory issues please open a new case and supply a copy of the debug SCA logs using the following arguments eg -debug -logfile path\filename.log.

    Backup and modify Fortify_SCA_and_Apps_<ver>\Core\config\fortify-sca.properties file and add the following properties,

    #reduce limiters

    com.fortify.sca.limiters.MaxSink=256
    com.fortify.sca.limiters.MaxSource=256
    com.fortify.sca.limiters.MaxNodesForGlobal=256

    #disable HOA (High Order Analysis)

    com.fortify.sca.hoa.Enable=false
    com.fortify.sca.Phase0HigherOrder.Level=0
    com.fortify.sca.Phase0HigherOrder.Languages=""

    and leaving a thread for Garbage Collection by configuring the system environment variable "com.fortify.sca.ThreadCount".
    eg sourceanalyzer ... -Dcom.fortify.sca.ThreadCount=<AvailableProcessors - 1>

    where AvailableProcessors can be found by running an initial scan with -debug -logfile path\scan.log and reviewing the scan.log for AvailableProcessors and stop the scan immediately.

    eg

    VM Info
    OperatingSystemMXBean: Windows Server 2012 R2
    Arch: amd64
    AvailableProcessors: 4

    Then rerun the scan with the new thread count.

    eg sourceanalyzer ... -Dcom.fortify.sca.ThreadCount=3 -scan ...

Children
  • Sorry I scaled this down to using 1 thread (plus the garbage collection one).  Even though this showed a speedup in the first hour of the analysis, it keeps running for many hours again.

    Should I stop the attempts to scan JS files along with JSP files?

    00:52:33 "/var/jenkins_home/fortify/bin/sourceanalyzer" -Xmx21436M -verbose -debug -logfile "fortify/fortify-scan.log" -b "APP-VER" -64 -scan "-Dcom.fortify.sca.hoa.Enable=false" "-Dcom.fortify.sca.limiters.MaxSink=256" "-Dcom.fortify.sca.limiters.MaxSource=256" "-Dcom.fortify.sca.limiters.MaxNodesForGlobal=256" "-Dcom.fortify.sca.Phase0HigherOrder.Level=0" "-Dcom.fortify.sca.Phase0HigherOrder.Languages=" "-Dcom.fortify.sca.ThreadCount=1" -f "fortify/fortify-APP-VER.fpr" 00:52:36 Fortify Static Code Analyzer 20.1.1.0007 (using JRE 1.8.0_181) 00:52:39 Analyzing 1145 source file(s) 00:52:44 Unresolved variable: ~tmp~eltrans~16202 @ GeneralAdminHomePage.jsp:0 [...] 01:03:44 Unresolved variable: ~t71 @ materialize.js:3980 01:03:44 Unresolved variable: ~t78 @ materialize.js:5104 01:15:20 [warning]: Scan progress is slowing due to JVM garbage collection, which may indicate low memory or low cpu power allocated for GC. For details on making more memory or GC resources available, please consult the user manual. 03:42:01 [warning]: Scan progress is slow due to JVM garbage collection, which may indicate low memory or low cpu power allocated for GC. For details on making more memory or GC resources available, please consult the user manual. 03:43:11 [warning]: Scan progress is very slow due to JVM garbage collection, which may indicate low memory or low cpu power allocated for GC. For details on making more memory or GC resources available, please consult the user manual. 05:02:59 Configuration analysis complete 07:28:16 legacy nullpointer analyzer WILL be run 07:46:36 Function /jsp/crpadmin/CorpAdminFWFG/BankUserPersonalDetails.jsp/_jspService(/jsp/crpadmin/CorpAdminFWFG/BankUserPersonalDetails.jsp, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.jsp.PageContext) is too complex for controlflow analysis and will be skipped. (time) 07:56:59 Function /jsp/applicationmaintenance/PageMaintenanceFG/PageMaintenanceLandingPage.jsp/_jspService(/jsp/applicationmaintenance/PageMaintenanceFG/PageMaintenanceLandingPage.jsp, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.jsp.PageContext) is too complex for controlflow analysis and will be skipped. (time) 08:07:08 Function /jsp/corporateadministration/InquiryFWFG/FileFormatDefinitionDelDetails.jsp/_jspService(/jsp/corporateadministration/InquiryFWFG/FileFormatDefinitionDelDetails.jsp, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.jsp.PageContext) is too complex for controlflow analysis and will be skipped. (time) 08:18:26 Function /jsp/bankuseradministration/BURoleUserMaintenanceFG/BURoleUserMappingList.jsp/_jspService(/jsp/bankuseradministration/BURoleUserMaintenanceFG/BURoleUserMappingList.jsp, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.jsp.PageContext) is too complex for controlflow analysis and will be skipped. (time) 08:28:48 Function /jsp/applicationmaintenance/InquiryFWFG/CommonCodesDelDetails.jsp/_jspService(/jsp/applicationmaintenance/InquiryFWFG/CommonCodesDelDetails.jsp, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.jsp.PageContext) is too complex for controlflow analysis and will be skipped. (time) 08:39:16 Function /jsp/user/PersonalModuleFG/PersonalHomePage.jsp/_jspService(/jsp/user/PersonalModuleFG/PersonalHomePage.jsp, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.jsp.PageContext) is too complex for controlflow analysis and will be skipped. (time) 08:49:32 Function /jsp/usermaintenance/RMUserMaintenanceListFG/FBAUserMaintenanceDeleteStatus.jsp/_jspService(/jsp/usermaintenance/RMUserMaintenanceListFG/FBAUserMaintenanceDeleteStatus.jsp, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.jsp.PageContext) is too complex for controlflow analysis and will be skipped. (time) 09:00:11 Function /jsp/applicationmaintenance/InquiryFWFG/AllowedUserDelDetails.jsp/_jspService(/jsp/applicationmaintenance/InquiryFWFG/AllowedUserDelDetails.jsp, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.jsp.PageContext) is too complex for controlflow analysis and will be skipped. (time) 09:10:20 Function /jsp/applicationmaintenance/CorpAdminFWFG/NavigationOptions.jsp/_jspService(/jsp/applicationmaintenance/CorpAdminFWFG/NavigationOptions.jsp, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.jsp.PageContext) is too complex for controlflow analysis and will be skipped. (time)