Here is what happened:
A team renamed a file in a pull request.
The file contains a vulnerability and the decorator adds comment to the PR.
The team ignores the comment and completes the PR.
In the SonarCloud page for the project’s master branch the New code section does not display a vulnerability.
To be honest, I think there is a case to make for each behavior (“rename does not mean new code” vs “rename does mean new code”) but not one behavior in one place, and the other behavior in another place.