Discrepancy between group's projects API and group vulnerabilities endpoint

Summary

There is a discrepancy in which projects are considered to have vulnerabilities between the group API and the group vulnerabilities endpoint (and also the Vulnerabilities API?). The former relies on report artifacts existing (which can eventually be removed), while the latter relies on the database.

This manifests in the Group Security Dashboard as vulnerabilities listed for projects that don't appear in the projects filter dropdown:

The crux is that the dropdown is populated by the group's projects, with with_security_reports=true such that:

only projects that have security reports artifacts present in any of their builds. This means “projects with security reports enabled”.

However, the group vulnerabilities endpoint returns those from the default branch, i.e. from the database.

Steps to reproduce

1. Visit this Group Security Dashboard: https://staging.gitlab.com/groups/secure-team-test/-/security/dashboard
2. See that not all projects with listed vulnerabilities appear in the projects dropdown.

Example Group

https://staging.gitlab.com/groups/secure-team-test/-/security/dashboard

What is the current bug behavior?

Not all projects with vulns are listed.

What is the expected correct behavior?

All projects with vulns are listed.

Relevant logs and/or screenshots

cc @leipert @vzagorodny