Instead of omitting the property or producing an empty list, SpotBugs creates a list containing null when no taxonomies apply:

{
  "version": "2.1.0",
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "runs": [
    {
      ....
      "taxonomies": [
        null
      ]
    }
  ]
}

This goes against the corresponding SARIF spec and will be marked as an error by the validator.
Therefore, SARIF parsers may be thrown off by this null value as they expect the list to be filled with valid toolComponent objects.