Analyse new\updated code only for dotnet projects


We have setup pull request analysis for C# .Net code. It is observed old code(unmodified) is being considered for analysis which is not expected, this is blocking us from using quality gates.

The new code condition is set based on the “number of days” condition which is set to 1.

Even then we PR/short branch analysis reports issues that are present in old code (which are not updated\edited as part of the pull request), because of this issue we are unable to enable quality gates.

Following tasks are used in azure devops pipeline:

  1. Prepare analysis for sonar cloud
  2. Run code analysis
  3. Publish quality gate result
  • ALM used: Git in Azure DevOps
  • CI system used Azure DevOps
  • Scanner command used when applicable (private details masked)
  • Languages of the repository: C# .Net

Hello @santhoshyalamuri,

First of all I would like to emphasis that the new code period configuration has no effect on PR analysis or Short Lived Branches (SLB). On a PR or SLB the new code is all the code that’s introduced in the PR/SLB whether it was yesterday or several days ago. Setting your new code period to 1 day has no effect on PR/SLB, it only has effect on Long Lived Branches.

Now you mention that issues may be raised on old code (not taking into account the new code period). There are a certain number of corner cases where this can happen, for instance a change in the new code can create an issue in old code even if that code was not modified.
Could you send me a screenshot of an issue that you think is erroneously reported as a new issue ? Please provide a full screen screenshot of the issue with all the project and branch details from the top banner



Hi Olivier,

Thanks for the information. We have resolved this issue.

The exclude files settings were different for PR analysis when compared to main branch analysis.


Hi Oliver,

We have found one instance where even though the code is not modified in the PR, the vulnerability is identified as found in the new code.

Secondly, this vulnerability is not identified in the Main branch.

Below is the screenshot:

In my understanding, the modified code in PR is highlighted in yellow, but not for this case. Secondly, this vulnerability is not listed in the Main branch analysis.


Hello Santosh,

Indeed the new code is highlighted with yellow background, but as I explained in my previous post you can have rare corner cases where some issues in old code are raised in a PR.
The screenshot that you provide is too tiny for me to tell if that is one of these corner cases, can you provide a full screen screenshot of the vulnerability so that I can see if that can explain the case.

Also you stated that the issue is not raised on the main branch. Would you confirm that the code of that main branch was analyzed with the same version of SonarQube as the PR (ie there was no SonarQube upgrade in between) ?

Hi Oliver,

Please find the screen shots:

Yes, the Main branch was analyzed with the same version of the sonar cloud.