First, your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:
8.7.1 → 8.9.2 → 9.1 (last step optional)
Regarding your actual question, I notice a few things in your analysis parameters:
The variable is named “source directory”. Is there really a “Sources” directory inside the “source directory”, or is this pathing off?
Since Pods doesn’t appear to be inside Sources, there’s no reason to exclude it. (Tangential, but worth mentioning.)
The place to specify this is not in your analysis parameters but in the server.
We also ran into this bitrise issue, and found the solution(or workaround). Our case was with Bitbucket Server though.
Simply put, prepending origin/ to sonar.pullrequest.base solved our issue.
The reason is in bitrise merge behavior.
Bitrise checkout your base branch first and then merge target branch into base branch.
As you might guess now, on bitrise, base branch == target branch.
sonar-scanner cannot create diff between them, since they are identical, and eventually you got empty results. However, if you add origin/, even if bitrise local behavior is same as the case without origin, sonar-scanner is supposed to compare local target branch with remote base branch which is not merged yet, hence you will get correct results. You might wonder if it’s ok to have origin/ hardcoded, but I think it’s OK, since even bitrise-clone-step also hardcodes origin here and there.
I am not sure if this bitrise checkout is a bug or an intentional behavior. Correct me if I am wrong.
if you are still struggling with this issue, I hope my answer helps you move forward.