Use SpotBugs Plugin on SonarQube

The SpotBugs SonarQube Plugin uses major SpotBugs plugins such as fb-contrib and Find Security Bugs. However, if you want to use another SpotBugs plugin, you need to build your own SonarQube plugin. For detailed requirements on SonarQube plugins, see the SonarQube official guidelines.

Create Maven Project

Follow the interaction in the SonarQube official guidelines. It is recommended to use sub-modules, to manage both the SpotBugs plugin and the SonarQube plugin in one project. You can refer to this module as an example.

You also need to configure the sonar-packaging-maven-plugin, to make your plugin depend on the SpotBugs SonarQube Plugin. For instance, if you’re using SonarQube 6.7 LTS, your plugin requires SpotBugs SonarQube Plugin version 3.7, so your configuration should be like below:


Generate rules.xml

SonarQube doesn’t understand the Bug Pattern metadata provided for SpotBugs, so we need to convert findbugs.xml and messages.xml to the SonarQube format named rules.xml.

If your SpotBugs plugin isn’t complex, you can simply introduce the SonarQube rule xml generator Maven Plugin to generate rules.xml. Follow the interaction described in its README.


Your should load the generated rules.xml to the FindBugs repository.

When you create a NewRepository instance, use FindbugsRulesDefinition.REPOSITORY_KEY as the repository key, and do _not_ rename it by calling NewRepository#setName(String). It is necessary to fulfill the requirement from SonarQube API. Here is an example:

public void define(Context context) {
  NewRepository repository =
      context.createRepository(FindbugsRulesDefinition.REPOSITORY_KEY, Java.KEY);

  RulesDefinitionXmlLoader ruleLoader = new RulesDefinitionXmlLoader();

Update should be a simple implementation that just loads your RulesDefinition class. Here is an example:

public void define(Context context) {

Deploy onto SonarQube

mvn package will generate a .jar file that works as a SonarQube plugin. Follow the SonarQube official guidelines to deploy it onto SonarQube.

Note that you need to enable new rules manually in your SonarQube profile, or newly added rules will not be used at analysis.