Spotbugs analyzer not converting general Kotlin vulnerabilities to GitLab SAST Report

Summary

Find-sec-bugs introduced general Kotlin coverage in their 1.9.0 release. While testing our current spotbugs analyzer, the vulnerabilities are detected and captured in the SpotBugs.xml file. However /analyzer run is not converting the vulnerabilities from the XML file to the gl-sast-report.json

Steps to reproduce

If we look at the sample below, /analyzer run will detect the vulnerabilities and relay that to SpotBugs.xml, but gl-sast-report.json is empty. If we run an explicit call /analyzer convert, then the vulnerabilities are converted.

include:
  - template: Security/SAST.gitlab-ci.yml

variables:
  SECURE_LOG_LEVEL: debug

spotbugs-sast:
  before_script:
    - cp exclude.xml ~/../spotbugs/exclude.xml
  rules:  
    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /spotbugs/
      exists:
        - '**/*.kt'

spotbugs-sast2:
  extends: spotbugs-sast
  script:
    - /analyzer run
    - cat /tmp/SpotBugs.xml
    # - /analyzer convert /tmp/SpotBugs.xml > gl-sast-report.json && cat gl-sast-report.json

Example Project

Sample project https://gitlab.com/jrandazzo-demo/kotlin-testing/fresh-general-kotlin-scanning

Possible fixes

It is suggested in this comment to add .kt to the regex under project.go