Spotbugs configuration for sonarcloud.io

I have a project setup on sonarcloud, and have been able to build my maven multi-module project, and then upload the results to sonarcloud for scanning by using

mvn sonar:sonar
-Dsonar.projectKey=planetf1_egeria
-Dsonar.organization=planetf1-github
-Dsonar.host.url=https://sonarcloud.io
-Dsonar.login=XXXXXX

Recently I wanted to extend our build to run spotbugs (with additional security rules). I’ve done this and now generate many spotbugsXml.xml files which contain these bug finds.

In my sonarcloud configuration I went to administration/external analyzers and add the filepath ‘**/spotbugsXml.xml’ to sonar.java.spotbugs.reportPaths

However after rerunning my sonar script (which I could integrate into maven also) I see the same results as usual - I am unsure where to look for these new findBugs bugs? The xml files from my maven build do contain issues.

I also tried adding ‘-Dsonar.java.spotbugs.reportPaths="**/spotbugsXml.xml"’ to the command above, but it didn’t seem to help.

Am I missing/misunderstanding how this should work

1 Like

From https://sonarcloud.io/documentation/analysis/external-issues/ it seems wildcards aren’t supported?

With 260 modules, and no way for spotbugs to (apparently) create a single report file for a multi module project I’m struggling a little to see how we can have the tools working together? – at least when done conventionally in maven by module (vs running the scan externally or perhaps with maven-exec-plugin so that there’s a single instance/file)

The answer appears to simply be to use target/spotbugsXml.xml as the parameter value.
Using this approach my reports were uploaded

2 Likes