Skip to content

ci: codeql.yml build-scope comment omits kuri-serde-kotlinx even though it is actually scanned #101

Description

@OmarAlJarrah

Problem

.github/workflows/codeql.yml:74 (and the related comment at :7) states that the manual build step's ./gradlew compileKotlinJvm "runs in :kuri and :kuri-bind." :kuri-serde-kotlinx also declares a jvm {} target (kuri-serde-kotlinx/build.gradle.kts:36) with real production Kotlin source (QueryParametersFormat.kt, QueryEncoder.kt, QueryDecoder.kt, Serializers.kt).

Because the workflow invokes ./gradlew compileKotlinJvm unqualified (not scoped to a specific project), Gradle runs the task in every module that has it — including kuri-serde-kotlinx. git history shows this comment predates the kuri-serde-kotlinx module and was never updated after it was added.

Impact

A security reviewer auditing what CodeQL actually covers reads the comment, concludes the kotlinx-serialization integration module is outside the SAST surface, and either skips reviewing it directly or files an unnecessary "serde module isn't scanned" report — when it in fact is. Conversely, if kuri-serde-kotlinx were ever changed to a native-only target (dropping its jvm {} block), the stale comment would give no signal that CodeQL coverage had actually changed, since it never mentioned the module in the first place.

Suggested fix

Update the comment to list all three JVM-target modules currently compiled and scanned.

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentation

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions