Add OWASP Top 10 2025 constants and GraphQL support for vulnerability filtering

What does this MR do and why?

Adds OWASP Top 10 2025 as a supported identifier standard for vulnerability filtering. This introduces the necessary constants, GraphQL enum type, resolver arguments, and Elasticsearch filter pipeline so users with advanced vulnerability management can filter vulnerabilities by OWASP 2025 category. The implementation follows the same pattern as the existing OWASP 2021 support.

References

Epic: gitlab-org#20026

Scanner side implementation: https://gitlab.com/gitlab-org/gitlab/-/work_items/595331

Screenshots or screen recordings

How to set up and validate locally

For the verification project we can use https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/verify-owasp-top-10-grouping-flag-testing, fork or import the project and run the pipeline on the main branch.

To verify vulnerabilitySeveritiesCount, use the below GraphQL query:

query { project(fullPath: "<your-project-path>") { vulnerabilitySeveritiesCount(owaspTopTen2025: [A01_2025, A02_2025, A03_2025, A04_2025, A05_2025, A06_2025, A07_2025, A08_2025, A09_2025, A10_2025]) { critical high info low medium unknown } } }

Expected result: critical: 1, low: 9

To verify the vulnerabilities GraphQL API, use the below GraphQL query:

query { project(fullPath: "<your-project-path>") { vulnerabilities(owaspTopTen2025: [A01_2025, A02_2025, A03_2025, A04_2025, A05_2025, A06_2025, A07_2025, A08_2025, A09_2025, A10_2025]) { nodes { id identifiers { name externalType } } } } }

Expected result: 10 vulnerability nodes, one per OWASP 2025 category, each with externalType: "owasp".

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #595079 (closed)