In a SonarQube instance I have defined an application portfolio and a view porfolio containing the same projects. Both porfolios have been refreshed recently.
I’ve noticed that reliability and security ratings are different even though the portfolios composition is identical.
You have not discovered a bug. What you have done is made an apples-and-oranges comparison.
An Application is a synthetic project, and as such it is treated, and graded like a project. The thinking is that an Application is made up of a group of projects that ship together - if one isn’t releasable, none are - but for whatever technical reasons the projects are all analyzed separately.
So, for a project, the Reliability and Security ratings are based on the severity of the worst issue. This means that somewhere in your group of projects is at least one Blocker Bug and at least one Blocker Vulnerability.
Portfolios, on the other hand are meant to be Executive overviews, and as such, they employ an averaging strategy. That’s why the ratings are better for your portfolio than for your application.
Out of curiosity, did you create both an application and a portfolio of the same set of projects just playing around, or is there some feature you really need from each?