I analyze with maven and I developed my own tool to detect vulnerabilities and this export a proper file for sonar.externalIssuesReportPaths but when analyze with none doenst have a problem but with maven is the problem I see unknown files. This is the message:
You would need to make sure that these files are indexed by the Maven scanner.
You can update <sonar.sources> in your pom.xml to include other directories (it defaults to src/main/java). You can include multiple, comma separated directories.