Issue #2992631 by dww, swatichouhan012, tedbow, jungle, xjm: Update report...

Issue #2992631 by dww, swatichouhan012, tedbow, jungle, xjm: Update report incorrectly recommends security releases for old minors when a security update is needed and a secure version of the old minor is also available (cherry picked from commit e1b93214)

Issue #2992631 by dww, swatichouhan012, tedbow, jungle, xjm: Update report...
f62c8080 · Alex Pott · 5de150ac · f62c8080 · f62c8080 · f62c8080
Unverified Commit f62c8080 authored 4 years ago by Alex Pott
--- a/core/modules/update/tests/src/Functional/UpdateContribTest.php
+++ b/core/modules/update/tests/src/Functional/UpdateContribTest.php
@@ -709,9 +709,13 @@ public function securityUpdateAvailabilityProvider() {
        'expected_update_message_type' => static::UPDATE_NONE,
        'fixture' => 'sec.8.x-1.2_8.x-2.2',
      ],
+      '8.x-2.0, 8.x-1.2 8.x-2.2' => [
+        'module_patch_version' => '8.x-2.0',
+        'expected_security_releases' => ['8.x-2.2'],
+        'expected_update_message_type' => static::SECURITY_UPDATE_REQUIRED,
+        'fixture' => 'sec.8.x-1.2_8.x-2.2',
+      ],
      // @todo In https://www.drupal.org/node/2865920 add test cases:
-      //   - 8.x-2.0 using fixture 'sec.8.x-1.2_8.x-2.2' to ensure that 8.x-2.2
-      //     is the only security update.
      //   - 8.x-3.0-beta1 using fixture 'sec.8.x-1.2_8.x-2.2' to ensure that
      //     8.x-2.2 is the  only security update.
    ];

--- a/core/modules/update/tests/src/Functional/UpdateCoreTest.php
+++ b/core/modules/update/tests/src/Functional/UpdateCoreTest.php
@@ -355,6 +355,14 @@ public function securityUpdateAvailabilityProvider() {
        'expected_update_message_type' => static::UPDATE_NONE,
        'fixture' => 'sec.0.2-rc2',
      ],
+      // Ensure that 8.0.2 security release is not shown because it is earlier
+      // version than 1.0.
+      '1.0, 0.2 1.2' => [
+        'site_patch_version' => '1.0',
+        'expected_security_releases' => ['1.2', '2.0-rc2'],
+        'expected_update_message_type' => static::SECURITY_UPDATE_REQUIRED,
+        'fixture' => 'sec.0.2-rc2',
+      ],
    ];
    $pre_releases = [
      '2.0-alpha1',
@@ -365,24 +373,25 @@ public function securityUpdateAvailabilityProvider() {
      '2.0-rc2',
    ];
-    // If the site is on an alpha/beta/RC of an upcoming minor and none of the
-    // alpha/beta/RC versions are marked insecure, no security update should be
-    // required.
    foreach ($pre_releases as $pre_release) {
+      // If the site is on an alpha/beta/RC of an upcoming minor and none of the
+      // alpha/beta/RC versions are marked insecure, no security update should
+      // be required.
      $test_cases["Pre-release:$pre_release, no security update"] = [
        'site_patch_version' => $pre_release,
        'expected_security_releases' => [],
        'expected_update_message_type' => $pre_release === '2.0-rc2' ? static::UPDATE_NONE : static::UPDATE_AVAILABLE,
        'fixture' => 'sec.0.2-rc2-b',
      ];
+      // If the site is on an alpha/beta/RC of an upcoming minor and there is
+      // an RC version with a security update, it should be recommended.
+      $test_cases["Pre-release:$pre_release, security update"] = [
+        'site_patch_version' => $pre_release,
+        'expected_security_releases' => $pre_release === '2.0-rc2' ? [] : ['2.0-rc2'],
+        'expected_update_message_type' => $pre_release === '2.0-rc2' ? static::UPDATE_NONE : static::SECURITY_UPDATE_REQUIRED,
+        'fixture' => 'sec.0.2-rc2',
+      ];
    }
-    // @todo In https://www.drupal.org/node/2865920 add test cases:
-    //   - For all pre-releases for 8.2.0 except 8.2.0-rc2 using the
-    //     'sec.0.2-rc2' fixture to ensure that 8.2.0-rc2 is the only security
-    //     update.
-    //   - For 8.1.0 using fixture 'sec.0.2-rc2' to ensure that only security
-    //     updates are 8.1.2 and 8.2.0-rc2.
    return $test_cases;
  }

--- a/core/modules/update/update.compare.inc
+++ b/core/modules/update/update.compare.inc
@@ -390,13 +390,14 @@ function update_calculate_project_update_status(&$project_data, $available) {
        ];
      }
    }
+    // Other than the currently installed release, ignore unpublished, insecure,
-    // Otherwise, ignore unpublished, insecure, or unsupported releases.
+    // or unsupported updates.
-    if ($release['status'] == 'unpublished' ||
+    elseif ($release['status'] == 'unpublished' ||
-        !$is_in_supported_branch($release['version']) ||
+            !$is_in_supported_branch($release['version']) ||
-        (isset($release['terms']['Release type']) &&
+            (isset($release['terms']['Release type']) &&
-         (in_array('Insecure', $release['terms']['Release type']) ||
+             (in_array('Insecure', $release['terms']['Release type']) ||
-          in_array('Unsupported', $release['terms']['Release type'])))) {
+              in_array('Unsupported', $release['terms']['Release type'])))
+    ) {
      continue;
    }