You may notice that the number of projects (and subsequently the number of dependencies and vulnerabilities) are sometimes displayed differently when importing Java Maven from your Source Code Management (SCM) solution, or from the CLI / CI.
This is an expected behavior, not a bug.
In the example below, we can see the project called mvc is the parent pom.xml, using some sub modules: core, web-common and web-struts.
When scanning them from the CLI or CI, we can see that Snyk CLI generated 4 projects. The todolist-mvc includes also the dependencies of its sub modules.
The screenshot above is obtained after running snyk monitor --all-projects
In CLI, due to usage of --all-projects, each pom.xml is treated as a separate project. We rely on the maven engine to resolve the dependency tree and do not support modules as a concept.
The parent pom.xml is also scanned and contains its modules:
The SCM scan scans through every pom.xml individually, skipping the parent one. So for this example, in SCM we found only 3 projects.
This is why, although the same dependencies and issues have been scanned from both integrations, we can see more projects and almost twice more issues on the CLI integration.