It's complaining about the abstract keyword. This is really a SonarQube issue, since it doesn't seem to properly support this Solidity syntax. You should raise this issue to them.
There is no need to vendor OpenZeppelin into your contracts directory, though. If you want, you can pin @openzeppelin/contracts to a particular version in your package.json, and it's not going to become a mess like you mentioned. I would not recommend pinning, though, because if we release a security patch you would not get it.