Question
Why may scanning a CycloneDX BOM produce more vulnerabilities than a scan using the CLI?
Explanation
When you scan a CycloneDX BOM of an application you may see vulnerabilities reported for files that are not present in your application. The BOM scan result includes the vulnerabilities for all files included in the packages listed in the BOM. In some cases this may include dependent components which might not actually be present in the scanned application.
Scanning with the CLI only reports vulnerabilities that are associated with files scanned in your application. This may produce a more precise result.
When you scan by BOM, the match goes against the entire package, so all files in it are considered. When you scan by CLI only the files actually scanned are considered.
References
https://help.sonatype.com/en/cyclonedx.html
https://help.sonatype.com/en/cyclonedx-rest-api.html