After upgrading to 5.5 version and now the latest (5.6) SonarQube always shows the issues I create through my plugin as "Code Smell". I would like to know more about the categorization and how can I add them as other types ("Vulnerability" and "Bug"). The code where I create the issues is as follows:

Issuable issuable = this.resourcePerspectives.as(Issuable.class,  inputFile);
    if (issuable != null) {
        Issue issue = issuable.newIssueBuilder()
            .ruleKey(activeRule.ruleKey())
            .line(vulnerability.getLine())
            .message(someMessage)
            .severity(severity)
            .build();

            issuable.addIssue(issue))
    } //...

Current support for bugs and vulnerabilities is a "creative implementation" (read "hack") based on tags. So, add the "bug" tag to your rule and its issues will be raised as bugs. Add the "security" tag to a rule and its issues will be raised as vulnerabilities.

Rules with both "bug" and "security" tags will be treated as bug rules.

For future reference, this mechanism is expected to change in the "near" future, but there's currently no schedule for it.

Edit

The current (6.1) version of the API provides the ability to simply declare rule type.