SAST on Java application doesn't show errors

We are evaluating SAST for scanning Java applications.

I’m starting with a simple hello world application with some added bugs
that spotbugs finds running by hand (i.e. an empty catch(Exception){} block).

The analysis runs and seems to generation a json result file artifact, …

Using docker image sha256:b9c8eb2f34e0a5853850cc845f191a848da1087678defb3fee7a6781d34aa672 for with digest ... $ /analyzer run [INFO] [Find Security Bugs] [2021-09-01T18:58:13Z] ▶ GitLab Find Security Bugs analyzer v2.28.5 [INFO] [Find Security Bugs] [2021-09-01T18:58:13Z] ▶ Detecting project [INFO] [Find Security Bugs] [2021-09-01T18:58:13Z] ▶ Found project in /builds/root/helloworldant [INFO] [Find Security Bugs] [2021-09-01T18:58:13Z] ▶ Running analyzer [INFO] [Find Security Bugs] [2021-09-01T18:58:13Z] ▶ Found Ant project in /builds/root/helloworldant directory [INFO] [Find Security Bugs] [2021-09-01T18:58:13Z] ▶ Found 1 analyzable projects. [INFO] [Find Security Bugs] [2021-09-01T18:58:13Z] ▶ Building Ant project at /builds/root/helloworldant. [INFO] [Find Security Bugs] [2021-09-01T18:58:14Z] ▶ Project built. [INFO] [Find Security Bugs] [2021-09-01T18:58:18Z] ▶ SpotBugs analysis succeeded for /builds/root/helloworldant! [INFO] [Find Security Bugs] [2021-09-01T18:58:18Z] ▶ Creating report Uploading artifacts for successful job 00:03 Uploading artifacts... gl-sast-report.json: found 1 matching files and directories Uploading artifacts as "sast" to coordinator... ok id=220 responseStatus=201 Created token=j95pbAKJ

The Security Compliance/Vulnerability Report page shows it's been updated due
to the build, but all the categories show 0 vulnerabilities.  There should have been
at least two, because running spotbugs by hand shows the errors.

Any ideas what I'm doing wrong?

Thanks in advance,