You may notice that the number of projects and subsequently the number of dependencies and vulnerabilities are displayed differently when you import a Java Maven project from your Source Code Management (SCM) solution or by running the CLI
monitor command from the command line or a CI.
This is an expected behavior, not a bug.
In the example that follows, the project called
mvc is the parent pom.xml, using some sub modules: core, web-common, and web-struts.
When the files are scanned from the Snyk CLI (command line or CI), four projects are generated. The todolist-mvc also includes the dependencies of its sub-modules as shown in the following screenshot obtained after running
snyk monitor --all-projects.
In the CLI, due to use of the
--all-projects option, each
pom.xml is treated as a separate project. Snyk relies on the Maven engine to resolve the dependency tree and does not support modules as a concept.
The parent pom.xml is also scanned and contains its modules as shown in the following screenshot:
The SCM scan scans through every
pom.xml individually, skipping the parent one. So for this example, in SCM Snyk found only three projects.
This is why, although the same dependencies and issues have been scanned from both integrations, in this example we can see more projects and almost twice as many issues through the CLI integration.