SonarCloud PR analysis considers the entire class including old code

We’ve just started to use SonarCloud in our existing project.
Sonar analysis is invoked as part of a Jenkins CI pipeline using sonar-maven-plugin and analyses GitHub pull requests to ‘master’ branch.
In our Jenkins CI, sonar-maven-plugin phase is configured to pick up the already built and packed maven project (and not to perform a dedicated mvn clean package as part of the sonar phase).
The “New Code” configuration for the project is set to “Previous version”.

We noticed that SonarCloud PR analysis reports code smells, vulnerabilities, reliability and security gates failures for the entire class including old code.
Since our project has a lot of legacy code we get hundreds of violations reported for a single PR while only a few lines of code were changed.
This introduces a significant difficulty for our developers to focus only on new code, since they need to identify only the violations related to their new lines and address them.

I would expect SonarCloud to report violations only on existing code and ignore ones that are found in an old code which hasn’t been changed for years.

Is that how SonarCloud works or do we have some kind of a misconfiguration?

Hey there.

We’ve had a few recent reports of New Code not being detected correctly in Jenkins pipelines (for analyses targeting SonarCloud).

In the context of a multibranch pipeline, you may need to make sure your configuration is sound. I’ll quote the documentation from SonarQube (unfortunately we don’t have this same kind of documentation for SonarCloud)

Configuring Multibranch Pipeline jobs for Pull Request Decoration

You need to configure your Multibranch Pipeline job correctly to avoid issues with Pull Request decoration. From your Multibranch Pipeline job in Jenkins, go to Configure > Branch Sources > Behaviors .

For Bitbucket and GitHub, under Discover pull requests from origin , make sure The current pull request revision is selected.

Can you check to see how this is configured today?

Hello Colin and thank for replying to my post.
I’m glad to inform you (any everyone who is interest to learn more about the issue) that it seems like the issue is resolved.
When I setup and activated a nightly Jenkins job that triggered a SonarCloud on ‘master’ branch scan, the issue disappeared.
I Seems like SonarCloud uses the ‘master’ analysis report in order to differentiate between old vs new issues in PR analysis.

Is that right?