Some issues are not included in Security Reports after analysis, it display inside the Not OWASP group even they are tagged as owasp-a1...10 as screenshot below.
Security Reports are only fed by a few analyzers. As of now: SonarJava, SonarC#, SonarTSQL, SonarSwift, SonarKotlin.
Coming soon, SonarPLSQL, SonarRuby and SonarScala will also feed the Security Reports.
Release after release, we make the analyzers compatible with this new feature introduced with SQ 7.3