Vuln metrics not aligned between /v1/metrics/project and /v1/finding/project

[calderonth]

Hello!

Using DT 4.8.2.

I am a bit puzzled as to how a project's metrics are calculated.
Essentially, when accessing the UI the project-level vulnerability metrics reported are retrieved using the /v1/metrics/project/{uuid} endpoint.
Now when I attempt to correlate this to the actual finding endpoint at /v1/finding/project , I am unable to align the two data points.
There is something happening that makes the numbers not align.
I am aware that there are possible duplications for different versions of a component affected by the same CVE and also duplications for given Github advisories but still when trying to cater for those, my numbers do not align.

Is there a document that clearly explains the logic for the metrics calculation?
A parallel can be made when trying to correlate the top-level metrics to the Audit Vulnerabilities tab, it makes the data difficult to use when there isn't a commonly agreed method to display the data in the UI and API.

Can someone shed some light?