We are using SonarQube in an existing maven-multimodule environment, for open source project Hipparchus.
There are spotbugs exclude filters in each module, see for example clustering exclude filter, core exclude filter and several others. All these filters are declared in the Administration → Java → Findbugs → Exclude filters as shown here:
However, this does not seem to work. As an example, this storage of a mutable array is identified as a code smell, despite it is configured to be ignored in the exclude file. It is intentional, documented, and already configured for other checkers too (for example there is a PMD comment at the start of the method). When the maven site is generated, spotbugs does obey the exclude files (as shown by the spotbugs report), so their syntax is expected to be good. Only SonarQube does not obey the exclusion files.
I think at least some exclusions are considered because the project analysis is still good (everything set to A and only 40 code smells for a decade old project with more than 100k lines). However, those 40 code smells really belong to the exclusions we set up. They are all known, intentional, and well documented, so I am annoyed as I fear that when a new one that is not intentional creeps in it gets unnoticed, hidden by the 40 ones we can’t silence.