You’ll have to provide some more details. What notification did you receive, and what the discrepancy? Additional information like screenshots are invaluable here.
We have email notifications enabled in SonarQube, which basically shows the # of bugs, vulnerabilities and code smells identified in the scan. This email notification had the vulnerability count as 0, however One security vulnerability was identified in the sonar scan, the vulnerability is " XML parsers should not be vulnerable to XXE attacks".