github · andersfugmann · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025
@@ -24,7 +24,7 @@ bazel_dep(name = "bazel_skylib", version = "1.8.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
-bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
+bazel_dep(name = "rules_kotlin", version = "2.2.0-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.19.2-codeql.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
@@ -221,10 +221,6 @@ use_repo(
  kotlin_extractor_deps,
  "codeql_kotlin_defaults",
  "codeql_kotlin_embeddable",
- "kotlin-compiler-1.6.0",
- "kotlin-compiler-1.6.20",
- "kotlin-compiler-1.7.0",
- "kotlin-compiler-1.7.20",
  "kotlin-compiler-1.8.0",
  "kotlin-compiler-1.9.0-Beta",
  "kotlin-compiler-1.9.20-Beta",
@@ -234,10 +230,7 @@ use_repo(
  "kotlin-compiler-2.1.20-Beta1",
  "kotlin-compiler-2.2.0-Beta1",
  "kotlin-compiler-2.2.20-Beta2",
- "kotlin-compiler-embeddable-1.6.0",
- "kotlin-compiler-embeddable-1.6.20",
- "kotlin-compiler-embeddable-1.7.0",
- "kotlin-compiler-embeddable-1.7.20",
+ "kotlin-compiler-2.3.0-Beta2",
  "kotlin-compiler-embeddable-1.8.0",
  "kotlin-compiler-embeddable-1.9.0-Beta",
  "kotlin-compiler-embeddable-1.9.20-Beta",
@@ -247,10 +240,7 @@ use_repo(
  "kotlin-compiler-embeddable-2.1.20-Beta1",
  "kotlin-compiler-embeddable-2.2.0-Beta1",
  "kotlin-compiler-embeddable-2.2.20-Beta2",
- "kotlin-stdlib-1.6.0",
- "kotlin-stdlib-1.6.20",
- "kotlin-stdlib-1.7.0",
- "kotlin-stdlib-1.7.20",
+ "kotlin-compiler-embeddable-2.3.0-Beta2",
  "kotlin-stdlib-1.8.0",
  "kotlin-stdlib-1.9.0-Beta",
  "kotlin-stdlib-1.9.20-Beta",
@@ -260,6 +250,7 @@ use_repo(
  "kotlin-stdlib-2.1.20-Beta1",
  "kotlin-stdlib-2.2.0-Beta1",
  "kotlin-stdlib-2.2.20-Beta2",
+ "kotlin-stdlib-2.3.0-Beta2",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")

@@ -124,13 +124,6 @@ kt_javac_options(
  javac_opts = ":javac-options",
  kotlinc_opts = ":kotlinc-options-%s" % v,
  module_name = "codeql-kotlin-extractor",
- # resource_strip_prefix is very nit-picky: the following makes it work from
- # `codeql`, `@codeql_kotlin_embeddable` and `semmle-code`
- resource_strip_prefix = (
- ("../%s/" % repo_name() if repo_name() else "") +
- ("%s/" % package_name() if package_name() else "") +
- v
- ),
  resources = [
  ":resources-%s" % v,
  ],

@@ -415,6 +415,7 @@ open class KotlinFileExtractor(
 
  private fun extractClassModifiers(c: IrClass, id: Label<out DbClassorinterface>){
  with("class modifiers", c){
+ @Suppress("REDUNDANT_ELSE_IN_WHEN")
  when (c.modality){
  Modality.FINAL -> addModifiers(id, "final")
  Modality.SEALED -> addModifiers(id, "sealed")
@@ -1644,7 +1645,7 @@ open class KotlinFileExtractor(
  extractMethodAndParameterTypeAccesses: Boolean,
  typeSubstitution: TypeSubstitution?,
  classTypeArgsIncludingOuterClasses: List<IrTypeArgument>?
- ) =
+ ) : Label<out DbCallable> =
  forceExtractFunction(
  f,
  parentId,
@@ -2801,6 +2802,7 @@ open class KotlinFileExtractor(
 
  private fun extractBody(b: IrBody, callable: Label<out DbCallable>){
  with("body", b){
+ @Suppress("REDUNDANT_ELSE_IN_WHEN")
  when (b){
  is IrBlockBody -> extractBlockBody(b, callable)
  is IrSyntheticBody -> extractSyntheticBody(b, callable)
@@ -2973,12 +2975,22 @@ open class KotlinFileExtractor(
  val locId = tw.getLocation(s)
  tw.writeStmts_block(blockId, parent, idx, callable)
  tw.writeHasLocation(blockId, locId)
- extractVariable(s.delegate, callable, blockId, 0)
+ // For Kotlin < 2.3, s.delegate is not-nullable. Cast to a be nullable,
+ // as a workaround to silence warnings for kotlin < 2.3 about the elvis
+ // operator being redundant.
+ // For Kotlin >= 2.3, the cast is redundant, so we need to silence that warning
+
+ @Suppress("USELESS_CAST")
+ val delegate = (s.delegate as IrVariable?) ?: run{
+ logger.errorElement("Local delegated property is missing delegate", s)
+ return
+ }
+ extractVariable(delegate, callable, blockId, 0)
 
  val propId = tw.getFreshIdLabel<DbKt_property>()
  tw.writeKtProperties(propId, s.name.asString())
  tw.writeHasLocation(propId, locId)
- tw.writeKtPropertyDelegates(propId, useVariable(s.delegate))
+ tw.writeKtPropertyDelegates(propId, useVariable(delegate))
 
  // Getter:
  extractStatement(s.getter, callable, blockId, 1)

@@ -849,9 +849,6 @@ open class KotlinUsesExtractor(
  }
 
 privatefunuseSimpleType(s:IrSimpleType, context:TypeContext): TypeResults{
-if (s.abbreviation !=null){
-// TODO: Extract this information
- }
 // We use this when we don't actually have an IrClass for a class
 // we want to refer to
 // TODO: Eliminate the need for this if possible
@@ -1836,6 +1833,7 @@ open class KotlinUsesExtractor(
 
 // Note this function doesn't return a signature because type arguments are never
 // incorporated into function signatures.
+ @Suppress("REDUNDANT_ELSE_IN_WHEN")
 returnwhen (arg){
 isIrStarProjection->{
 val anyTypeLabel =

@@ -111,6 +111,7 @@ private fun subProjectedType(
  } ?: makeTypeProjection(t.substituteTypeArguments(substitutionMap), outerVariance)
 
 private fun IrTypeArgument.upperBound(context: IrPluginContext) =
+ @Suppress("REDUNDANT_ELSE_IN_WHEN")
  when (this){
  is IrStarProjection -> context.irBuiltIns.anyNType
  is IrTypeProjection ->
@@ -125,6 +126,7 @@ private fun IrTypeArgument.upperBound(context: IrPluginContext) =
  }
 
 private fun IrTypeArgument.lowerBound(context: IrPluginContext) =
+ @Suppress("REDUNDANT_ELSE_IN_WHEN")
  when (this){
  is IrStarProjection -> context.irBuiltIns.nothingType
  is IrTypeProjection ->
@@ -209,6 +211,7 @@ fun IrClass.toRawType(): IrType{
 }
 
 fun IrTypeArgument.withQuestionMark(b: Boolean): IrTypeArgument =
+ @Suppress("REDUNDANT_ELSE_IN_WHEN")
  when (this){
  is IrStarProjection -> this
  is IrTypeProjection ->

@@ -0,0 +1,13 @@
+// For ComponentRegistrar
+@file:Suppress("DEPRECATION", "DEPRECATION_ERROR")
+
+packagecom.github.codeql
+
+importorg.jetbrains.kotlin.compiler.plugin.ComponentRegistrar
+importorg.jetbrains.kotlin.compiler.plugin.ExperimentalCompilerApi
+
+@OptIn(ExperimentalCompilerApi::class)
+abstractclassKotlin2ComponentRegistrar : ComponentRegistrar{
+overrideval supportsK2:Boolean
+ get() =true
+}
@@ -0,0 +1,31 @@
+packagecom.github.codeql.utils.versions
+
+importorg.jetbrains.kotlin.descriptors.*
+importorg.jetbrains.kotlin.load.kotlin.JvmPackagePartSource
+importorg.jetbrains.kotlin.metadata.deserialization.*
+importorg.jetbrains.kotlin.metadata.jvm.deserialization.*
+importorg.jetbrains.kotlin.metadata.jvm.JvmProtoBuf
+importorg.jetbrains.kotlin.resolve.DescriptorUtils.*
+importorg.jetbrains.kotlin.serialization.deserialization.descriptors.*
+
+fungetJvmModuleNameForDeserializedDescriptor(descriptor:CallableMemberDescriptor): String?{
+val parent = getParentOfType(descriptor, ClassOrPackageFragmentDescriptor::class.java, false)
+
+when{
+ parent isDeserializedClassDescriptor->{
+val classProto = parent.classProto
+val nameResolver = parent.c.nameResolver
+return classProto.getExtensionOrNull(JvmProtoBuf.classModuleName)
+ ?.let(nameResolver::getString)
+?:JvmProtoBufUtil.DEFAULT_MODULE_NAME
+ }
+ descriptor isDeserializedMemberDescriptor->{
+val source = descriptor.containerSource
+if (source isJvmPackagePartSource){
+return source.moduleName
+ }
+ }
+ }
+
+returnnull
+}
@@ -1,9 +1,5 @@
 # when updating this list, `bazel mod tidy` should be run from `codeql` to update `MODULE.bazel`
 VERSIONS = [
- "1.6.0",
- "1.6.20",
- "1.7.0",
- "1.7.20",
  "1.8.0",
  "1.9.0-Beta",
  "1.9.20-Beta",
@@ -13,6 +9,7 @@ VERSIONS = [
  "2.1.20-Beta1",
  "2.2.0-Beta1",
  "2.2.20-Beta2",
+ "2.3.0-Beta2",
 ]
 
 def _version_to_tuple(v):

@@ -1,16 +1,22 @@
 module(
  name = "rules_kotlin",
- version = "2.1.3-codeql.1",
+ version = "2.2.0-codeql.1",
  compatibility_level = 1,
  repo_name = "rules_kotlin",
 )
 
 bazel_dep(name = "platforms", version = "0.0.11")
 bazel_dep(name = "bazel_skylib", version = "1.7.1")
 bazel_dep(name = "rules_java", version = "7.2.0")
-bazel_dep(name = "rules_python", version = "0.23.1")
-bazel_dep(name = "rules_cc", version = "0.0.8")
-bazel_dep(name = "rules_android", version = "0.1.1")
+bazel_dep(name = "rules_android", version = "0.6.4")
+bazel_dep(name = "bazel_features", version = "1.25.0")
+bazel_dep(name = "protobuf", version = "29.0", repo_name = "com_google_protobuf")
+bazel_dep(name = "rules_proto", version = "6.0.2", repo_name = "rules_proto")
+bazel_dep(name = "abseil-py", version = "2.1.0", repo_name = "py_absl")
+bazel_dep(name = "rules_cc", version = "0.0.16")
+
+rules_java_toolchains = use_extension("@rules_java//java:extensions.bzl", "toolchains")
+use_repo(rules_java_toolchains, "remote_java_tools")
 
 rules_kotlin_extensions = use_extension(
  "//src/main/starlark/core/repositories:bzlmod_setup.bzl",
@@ -21,15 +27,10 @@ use_repo(
  "com_github_google_ksp",
  "com_github_jetbrains_kotlin",
  "com_github_pinterest_ktlint",
+ "kotlin_build_tools_impl",
  "kotlinx_serialization_core_jvm",
  "kotlinx_serialization_json",
  "kotlinx_serialization_json_jvm",
 )
 
 register_toolchains("//kotlin/internal:default_toolchain")
-
-# TODO(bencodes) We should be able to remove this once rules_android has rolled out official Bzlmod support
-remote_android_extensions = use_extension("@bazel_tools//tools/android:android_extensions.bzl", "remote_android_tools_extensions")
-use_repo(remote_android_extensions, "android_gmaven_r8", "android_tools")
-
-bazel_dep(name = "rules_proto", version = "5.3.0-21.7")
@@ -1,22 +1,20 @@
-diff --git a/src/main/starlark/core/options/opts.kotlinc.bzl b/src/main/starlark/core/options/opts.kotlinc.bzl
-index 76df826..ef2d6ca 100644
---- a/src/main/starlark/core/options/opts.kotlinc.bzl
-+++ b/src/main/starlark/core/options/opts.kotlinc.bzl
-@@ -33,6 +33,11 @@ def _map_jdk_release_to_flag(version):
+--- a/src/main/starlark/core/options/opts.kotlinc.bzl 2000-01-01 01:00:00.000000000 +0100
++++ b/src/main/starlark/core/options/opts.kotlinc.bzl 2025-11-17 16:51:01.012063056 +0100
+@@ -51,6 +51,11 @@
  return None
  return ["-Xjdk-release=%s" % version]
-
+
 +def _map_language_version_to_flag(version):
 + if not version:
 + return None
 + return ["-language-version=%s" % version, "-api-version=%s" % version]
 +
  _KOPTS_ALL ={
- "warn": struct(
+ "include_stdlibs": struct(
  args = dict(
-@@ -429,6 +434,15 @@ _KOPTS_ALL ={
+@@ -495,6 +500,15 @@
  value_to_flag = None,
- map_value_to_flag = _map_jdk_release_to_flag,
+ map_value_to_flag = _map_warning_level,
  ),
 + "language_version": struct(
 + args = dict(
@@ -28,5 +26,5 @@ index 76df826..ef2d6ca 100644
 + map_value_to_flag = _map_language_version_to_flag,
 + ),
  }
-
+
  def _merge(key, rule_defined):
@@ -1,16 +1,14 @@
 Emitting jdeps is broken for the 2.0.0 kotlin extractor, and we don't need those files.
 Patching it here rather than passing `--@rules_kotlin//kotlin/settings:jvm_emit_jdeps=false`
 allows us to not have to specify that option (and therefore pull in `rules_kotlin`) in `semmle-code`.
-diff --git a/kotlin/settings/BUILD.bazel b/kotlin/settings/BUILD.bazel
-index 2c93c11..f352b80 100644
 --- a/kotlin/settings/BUILD.bazel
 +++ b/kotlin/settings/BUILD.bazel
-@@ -25,7 +25,7 @@ release_archive(
+@@ -16,6 +16,6 @@ release_archive(
  # Flag that controls the emission of jdeps files during kotlin jvm compilation.
  bool_flag(
  name = "jvm_emit_jdeps",
 - build_setting_default = True, # Upstream default behavior
 + build_setting_default = False,
  visibility = ["//visibility:public"],
  )
-
+