Issues are synched to Fortify on the schedule even if no new scans or issues are found. This clogs up the Fortify system with repeated analysis result upload activity even though nothing changed.

Can this be enhanced to only synch if there are new issues or new OSS modules found (if OSS tab synch becomes reality)?

It syncs on a schedule because new vulnerabilities can be identified even if the component inventory does not change. Ideally, both the freshness of component inventory and a schedule would be taken into consideration. That's not how DT is designed today. Pull requests are encouraged.

DependencyTrack is showing more vulnerabilities but on Fortify dashboard lesser vulnerabilities for DEPENDENCY_TRACK , what is the reason for mismatch?