# Importing third-party issues
This page lists analysis parameters related to the import of issues raised by external, third-party analyzers. If your analyzer isn’t on this page, see the [generic-issue-import-format](https://docs.sonarsource.com/sonarqube-server/9.9/analyzing-source-code/importing-external-issues/generic-issue-import-format "mention") for a generic way to import external issues. You can also import [importing-issues-from-sarif-reports](https://docs.sonarsource.com/sonarqube-server/9.9/analyzing-source-code/importing-external-issues/importing-issues-from-sarif-reports "mention").
SonarQube doesn’t run your external analyzers or generate reports. It only imports pre-generated reports. Below you’ll find language- and tool-specific analysis parameters for importing reports generated by external analyzers.
We recommend checking out the [guides](https://community.sonarsource.com/c/clean-code/guides/22) category of the [SonarSource community forum](https://community.sonarsource.com/), where you might find instructions on generating these reports.
## Importing reports from third-party tools
Some properties support the following wildcards in paths. The remarks for properties that support wildcards will mention that fact. If the remarks do not say wildcards are supported, then they are not.:
| **Symbol** | **Meaning** |
| ---------- | ------------------------- |
| `?` | a single character |
| `*` | any number of characters |
| `**` | any number of directories |
### List of properties
Unless otherwise specified, the following properties accept both absolute paths and paths relative to the project root.
| **Language** | **Property** | **Remarks** |
| ------------ | ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Apex | `sonar.apex.pmd.reportPaths` | Comma-delimited list of paths to [PMD Apex](https://pmd.sourceforge.io/pmd-5.5.7/pmd-apex/rules/index.html) |
| CSS | `sonar.css.stylelint.reportPaths` | Comma-delimited list of paths to [StyleLint.io](https://stylelint.io/) reports |
| Go | `sonar.go.govet.reportPaths` | Comma-delimited list of paths to [GoVet](https://golang.org/cmd/vet/) reports |
| Go | `sonar.go.golint.reportPaths` | Comma-delimited list of paths to [GoLint](https://github.com/golang/lint) reports |
| Go | `sonar.go.gometalinter.reportPaths` | Comma-delimited list of paths to [GoMetaLinter](https://github.com/alecthomas/gometalinter) reports |
| Go | `sonar.go.golangci-lint.reportPaths` | Comma-delimited list of paths to golangci-lint reports in checkstyle format (use --out-format checkstyle golangci-lint option).
Depending on how many issues you’re importing, you might want to disable the max-issues-per-linter option in your golangci config file.
|
| Go | `sonar.externalIssuesReportPaths` | Comma-delimited list of paths to [gosec](https://github.com/securego/gosec) reports in SonarQube format (use `-fmt=sonarqube` gosec option). Note: this property is the one from the [generic-issue-import-format](https://docs.sonarsource.com/sonarqube-server/9.9/analyzing-source-code/importing-external-issues/generic-issue-import-format "mention") |
| Java | `sonar.java.spotbugs.reportPaths` | Comma-delimited list of paths to reports from [SpotBugs](https://spotbugs.github.io/), FindSecBugs, or FindBugs |
| Java | `sonar.java.pmd.reportPaths` | Comma-delimited list of paths to reports from [PMD](http://maven.apache.org/plugins/maven-pmd-plugin/usage.html) |
| Java | `sonar.java.checkstyle.reportPaths` | Comma-delimited list of paths to reports from [Checkstyle](http://maven.apache.org/plugins/maven-checkstyle-plugin/checkstyle-mojo) |
| JavaScript | `sonar.eslint.reportPaths` | Comma-delimited list of paths to JSON [ESLint](https://eslint.org/) reports (use `-f json` ESLint option) |
| Kotlin | `sonar.androidLint.reportPaths` | Comma-delimited list of paths to AndroidLint reports |
| Kotlin | `sonar.kotlin.detekt.reportPaths` | Comma-delimited list of paths to [Detekt](https://github.com/arturbosch/detekt) reports |
| Kotlin | `sonar.kotlin.ktlint.reportPaths` | Comma-delimited list of paths to [Ktlint](https://ktlint.github.io/) reports |
| PHP | `sonar.php.psalm.reportPaths` | Comma-delimited list of paths to [Psalm](https://github.com/vimeo/psalm) reports. Reports should be generated in the G [generic-issue-import-format](https://docs.sonarsource.com/sonarqube-server/9.9/analyzing-source-code/importing-external-issues/generic-issue-import-format "mention") (run Psalm with the option `--output-format sonarqube`). |
| PHP | `sonar.php.phpstan.reportPaths` | Comma-delimited list of paths to [PHPStan](https://phpstan.org/) reports. Reports should be generated in the [PHPStan JSON Output Format](https://phpstan.org/user-guide/output-format) (use the PHPStan `analyse` command with the option `--error-format=json`). |
| Python | `sonar.python.pylint.reportPaths` | Comma-delimited list of paths to [Pylint](http://www.pylint.org/) reports (use `--output-format=parseable`[Pylint option](https://docs.pylint.org/en/1.6.0/output.html)) |
| Python | `sonar.python.bandit.reportPaths` | Comma-delimited list of paths to [Bandit](https://github.com/PyCQA/bandit/blob/master/README.rst) reports |
| Python | `sonar.python.flake8.reportPaths` | Comma-delimited list of paths to [Flake8](https://flake8.pycqa.org/en/latest/) reports |
| Ruby | `sonar.ruby.rubocop.reportPaths` | Comma-delimited list of paths to [Rubocop](https://github.com/rubocop-hq/rubocop) reports |
| Scala | `sonar.scala.scalastyle.reportPaths` | Comma-delimited list of paths to [Scalastyle](http://www.scalastyle.org/) reports |
| Scala | `sonar.scala.scapegoat.reportPaths` | Comma-delimited list of paths to [Scapegoat](https://github.com/sksamuel/scapegoat) reports in the **Scalastyle format** |
| Swift | `sonar.swift.swiftLint.reportPaths` | Comma-delimited list of paths to [SwiftLint](https://github.com/realm/SwiftLint) reports in JSON format |
| TypeScript | `sonar.typescript.tslint.reportPaths` | Comma-delimited list of paths to [TSLint](https://palantir.github.io/tslint/) reports in JSON format (use `-t json` TSLint option) |
## External .NET issues
Issues from third-party Roslyn analyzers (including Roslyn analyzers provided by Microsoft) are included in the MSBuild output and imported by default into SonarQube so no properties exist to enable that behavior. Instead, properties are available to adjust the import and to *stop* importing those issues.
| **Language** | **Property** | **Remarks** |
| ------------ | ---------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
| C# | `sonar.cs.roslyn.ignoreIssues` | Set to `true` to disable import of external issues. Defaults to `false`. |
| C# | `sonar.cs.roslyn.bugCategories``sonar.cs.roslyn.vulnerabilityCategories``sonar.cs.roslyn.codeSmellCategories` | Comma-delimited list of categories whose issues should be classified as Bugs, Vulnerabilities, or Code Smells. |
| VB.NET | `sonar.vbnet.roslyn.ignoreIssues` | Set to `true` to disable import of external issues. Defaults to `false`. |
| VB.NET | `sonar.vbnet.roslyn.bugCategories``sonar.vbnet.roslyn.vulnerabilityCategories``sonar.vbnet.roslyn.codeSmellCategories` | Comma-delimited list of categories whose issues should be classified as Bugs, Vulnerabilities, or Code Smells. |
Note that Roslyn issues with an *error* severity automatically fail the build. We don’t recommend running the Scanner for MSBuild’s end step if the MSBuild step fails for any reason because it will result in an essentially empty analysis.
## Limitations
External issues have two important limitations:
* They cannot be managed within SonarQube; for instance, there is no ability to mark them as false positives.
* The activation of the rules that raise these issues cannot be managed within SonarQube. External rules are not visible on the Rules page or reflected in any quality profile.