You might have seen discrepancies between the number of issues shown in the Reporting Beta compared to your CLI/SCM scans.
Here's the explanation why:
In our new beta reporting we show the highest level of granularity for issues. This means that if a vulnerability is introduced to a Project through multiple dependency versions (for OS and Container), we count these as separate issues.
In other parts of our application, we generally aggregate these and only count these as 1 issue. There are tradeoffs/benefits to each approach.
We expect this to be temporary as we have ongoing work to launch a new v3 issues API. As part of this work, we'll be ensuring consistency of counting issues across the platform, while preserving the ability to see the granular details of an issue at its lowest level.
Update
On April 27th, Snyk updated the grouping of issues in our new reports to better align with the way issues are grouped in the Snyk Projects pages and the API.
This will allow customers to focus on the prioritization and remediation of issues with improved consistency across the platform.
Customers using Snyk Open Source and Container will see fewer issues in reporting after the change, as the paths by which an issue is introduced will no longer be counted separately.