Non-security updates sometimes reported as security/critical updates

Open on Drupal.org →

Created on 24 August 2023, about 1 year ago

Updated 27 November 2023, 12 months ago

Problem/Motivation

Sporadically, drush nagios starts reporting every installed module as NOT SECURE, and drush nagios-updates security outputs every module.

(This has been ongoing since we upgraded to Drupal 9, but I only just got around to investigating properly.)

I have tracked this down to a bug in StatuspageController. It is sporadic because the update status is cached by Drupal, so it only happens when (1) the cache expires, and then (2) the Nagios check runs before the cron job does its own update check.

Steps to reproduce

$ drush eval "Drupal::service('keyvalue.expirable')->get('update')->delete('update_project_data')"
$ drush nagios-updates security
drupal
ckeditor
# (etc.)

If you then visit /admin/reports/updates, it will clear the cache and trigger Drupal's own update check, which then caches the correct values and makes it work again:

$ drush nagios-updates security
# (no output)

Proposed resolution

I believe the cause is these two lines in StatuspageController::buildModuleList():

    $tmp_projects = update_calculate_project_data(\Drupal::service('update.manager')
      ->getProjects());

The function is being passed the list of installed projects, when it expects the list of available updates. The two lists are similar, but in the former case $project['project_status'] = TRUE/FALSE (meaning enabled/uninstalled), whereas $project['project_status'] = 'published'/'insecure'/etc. in the latter. Then this code in Drupal core is executed:

    switch ($available['project_status']) {
      case 'insecure':
        $project_data['status'] = UpdateManagerInterface::NOT_SECURE;

And because TRUE == 'insecure' is truthy, the status is set to UpdateManagerInterface::NOT_SECURE for every project.

So I believe the fix would be something like this:

    $tmp_projects = update_calculate_project_data(update_get_available());

Thanks!

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Fixed

Version

1.17

Component

Code

Created by

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @mi-dave
Comment about 1 year ago →
mi-dave
Comment about 1 year ago →
🇩🇪Germany gogowitsch
Thanks for the detailled description, mi-dave. I’ll work through your code and steps in the next days.
Comment 12 months ago →
System Message

Gogowitsch → committed ce536b42 on 8.x-1.x
Issue #3383123 by mi-dave: Non-security updates sometimes reported as...
Comment 12 months ago →
🇩🇪Germany gogowitsch
@mi-dave I have pushed a fix to the dev branch. If you have time to give feedback to code changes or a manual test, please share your results here.

If all is good or I don’t here from you in a while, I will publish a new release of the module.
Comment 12 months ago →
mi-dave
Great, thanks! I have installed that in production and will look out for any issues over the next week. (We were getting false-positives about once every 1-5 days before.)
Status changed to RTBC 12 months ago9:05am 27 November 2023
Comment 12 months ago →
mi-dave
After using `ce536b42` for a week, it all seems good to me. Thanks again!
Status changed to Fixed 12 months ago11:44am 27 November 2023
Comment 12 months ago →
🇩🇪Germany gogowitsch
I have released version 8.x-1.18 → to fix this issue.
Comment 11 months ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024