Count of vulnerabilities not match

[PLeS207]

Hello team, we start to use Inspector for PoC to replace Snyk
After scanning we get a report where the count of vulnerabilities in the short report does not match the vulnerabilities in a long report
For example

On the screen, you can see
Critical 2
High 2
Medium 7
Low 1
Other 5
But in the list of vulnerabilities, we saw only 1 Critical

is this a bug or did we miss something?
We plan to fail the pipeline when the count of critical vulnerabilities is greater than 0 but in this case, we always have 1 Critical vulnerability

P.S Question we compare the Vulnerabilities that are shown in the AWS Inspector console with what we get in the GitHub action pipeline and those 2 lists do not match too

In AWS Inspector we got

3 Critical
5 High
10 medium
For example, vulnerabilities CVE-2023-42282 and MAL-2022-4691 did not show in the Pipeline report
Does AWS Inspector use different types of scanning? Can we achieve the same report in both tools?

[bluesentinelsec]

Hello, thank you for notifying us of your issue.
We are happy to investigate.
In order to assist our investigation, would you kindly send us the following documents?

1. Your GitHub Actions workflow definition (Inspector-portion is all we need)
2. The raw SBOM (json)
3. The raw Inspector scan (json)

We will use these files to try to reproduce the issue and identify root cause of the problem.

Please feel encouraged to sanitize any private information from your files.

Please send these files to:
inspector-opensource@amazon.com

@PLeS207

[PLeS207]

Hello, Mail with report sent

[cjbaco]

Mail received. We will continue this thread there.