The scanner pulls the analyzers (plugins) from the SonarQube server, which in your case includes GitHub - spotbugs/sonar-findbugs: SpotBugs plugin for SonarQube, which somebody would have manually installed.
The scanner pulls the analyzers (plugins) from the SonarQube server, which in your case includes GitHub - spotbugs/sonar-findbugs: SpotBugs plugin for SonarQube, which somebody would have manually installed.