Owasp top 10 grouping not displaying correct results on the group level report page

We have enabled the grouping feature for gitlab-org group with FF group_level_vulnerability_report_grouping and the owasp top 10 feature is also enabled with FF vulnerability_owasp_top_10_group.

After enabling, we noticed a bug where the vulnerabilities displayed and the severities count for each group by category is showing wrong results.

See: https://gitlab.com/groups/gitlab-org/-/security/vulnerabilities/?groupBy=owasp_2017

This issues seems to happen only on the group level report page and the project level report page is working fine as verified in https://gitlab.com/gitlab-org/security-products/sast-rules/-/security/vulnerability_report/?groupBy=owasp_2017

Investigated cause

1. The GraphQL API controller is receiving the argument owaspTopTen and we are able to observe the variable owaspTopTen available in #execute_query method. 2. The resolvers (here and here) are not receiving the params (args) argument with owaspTopTen key, it looks to be removed between the graphql_controller and the resolver classes.

1. Query templates used by frontend is not including owaspTopTen argument for the group level report queries.

Steps to reproduce

1. Create a group in local.
2. Import project by url, call it project-a. Import project from https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/verify-owasp-top-10-grouping.
3. To the same group import above project again by url and call it project-b.
4. Run ci/cd pipeline on the main branch and it will create the vulnerabilities for the both the projects
5. Now visit group level report page http://localhost:3000/groups//security/vulnerability_report/?groupBy=owasp_2017 and we will be able to notice the bug.