NOTE This feature requires SQ 7.2+ and SonarJava 5.6+.
Import of SpotBugs, FindSecBugs, fb-contrib Reports
SonarJava allows to import into SonarQube/SonarCloud issues generated by SpotBugs™. Because SpotBugs™ and FindBugs™ share the same output format, it's also possible to import reports from FindBugs and its extensions (FindSecBugs™, fb-contrib™). Please refer to the SpotBugs or FindSecBugs documentations to know how to generate the issues reports.
Once you have the report generated, you need to feed the property "sonar.java.spotbugs.reportPaths". This property accepts one or more SpotBugs reports, paths to report files should be absolute or relative to the project base directory.
Using spotbugs-maven-plugin, the default name of the report is spotbugsXml.xml
Using findbugs-maven-plugin, the default name is findbugsXml.xml
Because FindSecBugs, fb-contrib are extensions of SpotBugs, their issues are included in the file generated for SpotBugs issues. There is no specific file for them.