Update status should indicate security coverage

Problem/Motivation

To support the recent changes to the project application process, namely decoupling the ability to create full projects/releases from security coverage - we need to provide indicators on the update status page of which installed modules receive security coverage.

@hestenet, @drumm, and @mlhess hope to help drive this forward. @Dries has given his blessing to prioritize this patch.

We (the DA) want to get this committed as soon as possible, and so we're allocating our sprint time towards getting this ready, writing tests, and responding to any reviews.

Proposed resolution

The changes would need to:

1. Indicate which modules have security coverage and which do not.
2. Provide visual indicators of coverage status via the shield icon and the !-alert icon
3. For modules that are explicitly unsupported for known security issues or other reasons, it should indicate that

In addition the changes could:

• Provide an alert on each page for admins like the 'you are using a module with a security release' warning

Key Question:

"How do we keep users informed about which of their modules receive security advisory coverage, in a way that educates them rather than scaring them?"

Implementation questions to be resolved:

1. Where should the list of covered/uncovered modules be presented?:
   [ ] a. Only on the status page
   [ ] b. Only on the updates page
   [ ] c. Both
2. If we put indicators on the updates page, what kind of indicators should we use?
   [ ] a. Negative indicators on each module
   [ ] b. Positive indicators on each module
   [ ] c. Both
   [ ] d. A single warning at the top of the page, referring users to the list of uncovered modules on the status page.
3. How loud should the "Your site uses modules that do not receive security advisory coverage from the security team" message be?
   [ ] a. It should follow admins everywhere, like the 'security update available message'
   [ ] b. It should be at the top of the updates page, and link to the status page
4. Should developers be able to suppress this warning, through settings.php? And if so, what should they be able to suppress?
   [ ] a. The top messsage that follows admins around
   [ ] b. The top message on the updates page
   [ ] c. The list of modules on the updates/status page
   [ ] d. none of the above

Remaining tasks

Review

User interface changes

admin/reports/updates with added security information

The update status for available updates, including security updates and the row backgrounds, is left as-is for consistency. Security information is grouped with module support or update status.

Addition to status report

If everything is covered:

If something is not:

Turning this off

If a site builder believes they are responsible enough to run non-covered code, they can turn off these messages in settings.php:

/**
 * Hide Drupal.org security advisory policy warnings.
 *
 * By default, Update Manager module warns about modules and themes from
 * Drupal.org that are not covered by Drupal.org’s security advisory policy.
 *
 * Security issues in non-covered projects are reported to the public issue
 * queue and will not receive coordinated security announcements.
 *
 * @see https://www.drupal.org/security-advisory-policy
 */
# $settings['update_warn_drupalorg_security'] = FALSE;

API changes

Theme additions in update module.

Data model changes

We have updated the update status xml to support this change: #2853696: Add security advisory coverage to update status XML and can make additional changes as needed.