Spotbugs report ingested into SonarQube

SonarQube Server / Community Build
1

Must-share information (formatted with Markdown):

  • SonarQube Version: Enterprise Edition v2025.2
  • how is SonarQube deployed: zip
  • what are you trying to achieve: Verifying that SpotBugs reports are being ingested
  • what have you tried so far to achieve this: We have setup the sonar-scanner to input the report path via -Dsonar.java.spotbugs.reportPath= and we can verify that the file exists. We see Sonar Scanner picking up the SpotBugs report and ingesting it via the terminal output. How do you verify that the findings from SpotBugs have been ingested into SonarQube? We would think we could go to a file that was flagged in SpotBugs and see the finding in SonarQube, but we cannot see it on the specified line.
2

Hi,

That’s a reasonable assumption. What do you see? Also, have you browsed the Issues tab?

 
Ann

3

Here is an example:

File A has a finding from SpotBugs on line 58 and the finding is Categorized as “Bad Practice toString method may not return null”. In our pipeline we have SpotBugs executed and we save off the output xml file. Then we call Sonar Scanner as mentioned above. In the Scanner output I see

INFO: Sensor Import of SpotBugs issues [java]
INFO: Importing
INFO: Sensor Import of SpotBugs issues [java] (done) | time=63ms

I then go to SonarQube and look at the Project → Branch → Issues Tab and filter on File A. There are other findings on File A, just nothing on the lines that SpotBugs flagged.

The command options we are using for SpotBugs are “-longBugCodes -low -applySuppression -xml:withMessages -output ”

4

Hi,

Can you provide the analysis log, please?

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

 
Thx,
Ann

5

The log is on a disconnected system, so I copied parts of it that I think are applicable. Let me know if you need more.

<path to sonarscanner> -Dsonar.host.url=<URL for SonarQube> -Dsonar.token=**** -Dsonar.java.binaries=./bin -Dsonar.java.libraries=<path to other libraries> -Dsonar.projectKey=<project-key> -Dsonar.projectName=<project-name> -Dsonar.sources=./src -Dsonar.projectVersion=2.0 -Dsonar.scm.provider=git -Dsonar.projectBaseDir=. -Dsonar.qualitygate.wait=true -Dsonar.branch.name=<branch name> -X -Dsonar.exclusions=**.html -Dsonr.coverage.jacoco.xmlReportPaths=<path to xml directory> -Dsonar.java.spotbugs.reportPaths=<path to spotbugs xml>
INFO: SonarScanner 5.0.1.3006
INFO: Java 17.0.7 Eclipse Adoptium (64-bit)
INFO: Linux <version> amd64
INFO: Analyzing on SonarQube server 2025.2.0.105476
DEBUG: JVM max available memory: 3 GB
INFO: Load/download plugins
INFO: Load/download plugins (done) | time=77ms
DEBUG: Plugins not loaded because they are optional: [abap, sonarapex, architecture, architecturejavafrontend, csharpenterprise, cpp, cfamilydependencies, cobol, dart, dbd, dbdjavafrontend, dbdpythonfrontend, flex, geoenterprise, web, jcl, javasymbolicexecution, java, javascript, kotlin, php, pli, plsql, python, rpg, ruby, sonarscala, swift, tsql, vbnetenterprise, vb, security, securitycsharpfrontend, securityjsfrontend, securityjavafrontend, securityphpfrontend, securitypythonfrontend, xml]
DEBUG: Plugins loaded:
DEBUG:   * Text Code Quality and Security 2.21.1.5779 (textenterprise)
DEBUG:   * Clean as You Code 2.4.0.2018 (cayc)
DEBUG:   * JaCoCo 1.3.0.1538 (jacoco)
DEBUG:   * IaC Code Quality and Security 1.44.0.14670 (iacenterprise)
DEBUG:   * IaC Code Quality and Security 1.44.0.14670 (iac)
INFO: Loaded core extensions: developer-scanner, sca, server-common
DEBUG: Installed core extension: developer-scanner
DEBUG: Installed core extension: sca
DEBUG: Installed core extension: server-common
INFO: 1 language detected in 52 preprocessed 
INFO: 16 files ignored because of inclusion/exclusion patterns
INFO: 0 files ignored because of scm ignore settings
INFO: Loading plugins for detected langauages
DEBUG: Detected languages: [java]
INFO: Load/download plugins
INFO: Load/download plugins (done) | time=89ms
DEBUG: Optional language-specific plugins not loaded: [adap, sonarapex, csharpenterprise, cpp, cfamilydependencies, cobol, dart, dbdpythonfrontend, flex, goenterprise, web, jcl, javascript, kotlin, php, pli, plsql, python, rpg, ruby, sonarscala, swift, tsql, vbetenterprise, vb, securitycsharpfrontend, securityjsfrontend, securityphpfrontend, securitypythonfrontend, xml]
DEBUG: Plugins loaded: 
DEBUG:   * Vulnerability Rules for Java 11.1.0.35630
DEBUG:   * Vulnerability Analysis 11.1.0.35630 (security)
DEBUG:   * Java Code Quality and Security 8.11.0.38440 (java)
DEBUG:   * Dataflow Bug Detection 1.36.1.13250 (dbd)
DEBUG:   * Architecture and Design Rules for Java 1.9.0.4841 (architecturejavafrontend)
DEBUG:   * Dataflow Bug Detection Rules for Java 1.36.1.13250 (dbdjavafrontend)
DEBUG:   * Java Advanced Code Quality Analyzer 8.11.0.38440 ( javasymbolicexecution)
DEBUG:   * Architecture Analysis 1.9.0.4841 (architecture) 
INFO: Load metrics repository (done) | time=19ms
DEBUG: Registered check: [ClassCastCheck (javabugs:S6320), ExceptionReachabilityCheck (javabugs:S6416), InfiniteRecursionCheck (javabugs:S2190), UnsupportedMethodCheck (javabugs:S6322), CollectionModifiedDuringIterationCheck (javabugs:S6417), JavaIndexErrorCheck (javabugs:S6466)]
DEBUG: Sensors : JavaSensor -> JaCoCo XML Report Importer -> Java Config Sensor -> ThymeLead template sensor -> Import of SpotBugs issues -> SurefireSensor -> IaC Docker Sensor -> Serverless configuration file sensor -> AWS SAM template file sensor -> AWS SAM Inline template file sensor -> javabugs -> pythonbugs -> EnterpriseTextAndSecretsSensor -> JavaSecuritySensor -> CSharpSecuritySensor -> PhpSecurityScanner -> PythonSecurityScanner -> JsSecuritySensor -> KotlinSecuritySensor
INFO: Sensor JavaSensor [java]
DEBUG: Property 'sonar.java.jdkHome' resolved with:
[]
DEBUG: Property 'sonar.java.libraries' resolved with:
[<path to other libraries>]

INFO: Sensor Import of SpotBugs issues [java]
INFO: Importing <path to xml> 
DEBUG: Unexpected missing 'BugCollection/Project/SrcDir/text()'.
DEBUG: Unexpected missing 'BugCollection/Project/SrcDir/text()'.
DEBUG: Unexpected missing 'BugCollection/Project/SrcDir/text()'.
DEBUG: Unexpected missing 'BugCollection/Project/SrcDir/text()'.
DEBUG: Unexpected missing 'BugCollection/Project/SrcDir/text()'.
...
INFO: Sensor Import of SpotBugs issues [java] (done) time=34ms
6

Could it be the format of the SpotBugs XML?

7

Hi,

What language is this for? Based on this:

It looks like we’re not talking about Java? SpotBugs import is only supported for Java.

 
Ann

8

Its a Java project that has xml files and some html scattered throughout. We are really only concerned about SpotBugs

9

Hi,

Okay, I’ve gone further in the log. I suppose the Java is in a different module.

What does this mean to you?

 
Ann

10

No clue, I was thinking maybe our spotbugs version is not outputting a field in the XML that you all are expecting. I thought maybe that was your plugin throwing the debug statement

11

Hi,

Can you share the xml file you’re trying to import?

 
Thx,
Ann

12

Here is an example of the format

<?xml version="1.0" encoding="UTF-8"?>
13

Hi,

I’m asking for the file. Feel free to redact it as necessary.

 
Ann

14

I cant send the file so I was trying to give you the format of what is being exported and it didn’t post correctly. So attached is the example file.
spotbugs-output.txt (2.0 KB)

15

Hi,

Well it looks like your sample file, at least, isn’t in the expected format

 
HTH,
Ann

16

That is what I was expecting to hear based upon the debug log. Probably have an older version of Spotbugs. Should the scanner have said there was an error parsing instead of just saying it was complete in the non debug output?

17

Hi,

I think it’s designed to recover from individual errors and continue parsing the rest of the file.

 
HTH,
Ann