SpotBugs: Run with maven an share reportPaths or configure Spotbugs Plugin and run with SonarQube

Hi Guys, quick question that we’ve been looking for for a while and haven’t been able to find an answer.

The team we have been using sonarqube for a long time, we are using sonarway profiles and recommended configurations

For some time now we have been considering including the Spotbugs rules, basically the rules that are included with the SonarQube Spotbugs Plugin plugin.

So the question is:
What would be the correct way to proceed? Use SpotBugs as a maven plugin during the build process and share the generated analysis to sonarqube (with or create a new profile with the sonar+spotbugs rules added with the plugin and have the spotbug rules analyzed when with the sonar analysis?

The question comes above all from knowing the most effective and maintainable way to proceed. Also we have had slight differences in the results between one method and the other when testing.

Thank you very much for the time. All the best


You don’t mention what the differences are between the two methods. It would be interesting to know the details of that.

I can’t say there’s a real preference in general, but I can throw out some facts that may help you make your own decision:

  • We have seen in the past that merely having the FindBugs/SpotBugs plugin on board lengthens analysis duration even if you’re not using any of the rules in your profile. I have no idea whether this is still the case, but at least in the past it seems that the plugin ran all its rules and then filtered the output based on which rules were included the active Quality Profile. IMO that’s a point against the plugin
  • If you do use the plugin, then you have its full rule description on board, which can lead to a better developer experience when trying to understand the issues SpotBugs raises.


Hi Ann,

Thanks for replay. There go some details:
To add more context, both analyzes are launched from the same job and same machine, only we change the names of the project. The code in both projects is the same and only the pom.xml changes since one indicates that it uses the spotbugs maven plugin.
We have also reviewed the exclusions and they do not apply to the project.

This is the overall code analysis:
running spotbugs on sonar

running spotbugs on maven

Looking on the bugs:
evidences spotbugs on sonar/Rules:

evidences spotbugs on maven/Rules:

The rule is in the profile:

Looking code smells :

running spotbugs on sonar
Code smell not finded in code:

running spotbugs on maven:
Code smell finded in code:

This is the rule:

In this example, they both find evidence for the same rule multiple times. In the case of the example they even find it other times in the same file but but in the line that I show in the image, one does mark it as evidence and the other does not.

Anyways we are going to continue testing with other projects to see if we get more information, we don’t know if it will be something specific this time and then decide wich option implement.


1 Like


Thanks for sharing your findings. They’re fascinating and I have no idea what would cause that! :sweat_smile:

It’s probably worth asking the Spotbugs maintainers about this discrepancy.