A SonarQube analysis of a PR is, by definition, only the new code – only the code you want to merge. Once you’ve performed the merge, you can analyze the target branch using branch analysis to get the full picture, but this can’t be done as part of the PR analysis.
I hope this clarifies; let me know if you need more details.
Before we purchase a license we used sonar 7.6 community with plugin from GitHub. So there was a property sonar.gitlab.all_issues that cover my case. Don’t understand why github plugin works better then newest licensed instance.
Can you zip up the scanner-side logs from the scan of the MR and post them? Feel free to redact any sensitive data. Could you also post a screen shot of the vulnerability on that line of code as shown in the branch scan?