Non-security updates sometimes reported as security/critical updates

Problem/Motivation

Sporadically, drush nagios starts reporting every installed module as NOT SECURE, and drush nagios-updates security outputs every module.

(This has been ongoing since we upgraded to Drupal 9, but I only just got around to investigating properly.)

I have tracked this down to a bug in StatuspageController. It is sporadic because the update status is cached by Drupal, so it only happens when (1) the cache expires, and then (2) the Nagios check runs before the cron job does its own update check.

Steps to reproduce

$ drush eval "Drupal::service('keyvalue.expirable')->get('update')->delete('update_project_data')"
$ drush nagios-updates security
drupal
ckeditor
# (etc.)

If you then visit /admin/reports/updates, it will clear the cache and trigger Drupal's own update check, which then caches the correct values and makes it work again:

$ drush nagios-updates security
# (no output)

Proposed resolution

I believe the cause is these two lines in StatuspageController::buildModuleList():

    $tmp_projects = update_calculate_project_data(\Drupal::service('update.manager')
      ->getProjects());

The function is being passed the list of installed projects, when it expects the list of available updates. The two lists are similar, but in the former case $project['project_status'] = TRUE/FALSE (meaning enabled/uninstalled), whereas $project['project_status'] = 'published'/'insecure'/etc. in the latter. Then this code in Drupal core is executed:

    switch ($available['project_status']) {
      case 'insecure':
        $project_data['status'] = UpdateManagerInterface::NOT_SECURE;

And because TRUE == 'insecure' is truthy, the status is set to UpdateManagerInterface::NOT_SECURE for every project.

So I believe the fix would be something like this:

    $tmp_projects = update_calculate_project_data(update_get_available());

Thanks!

Remaining tasks

User interface changes

API changes

Data model changes