Problem
.github/workflows/codeql.yml:74 (and the related comment at :7) states that the manual build step's ./gradlew compileKotlinJvm "runs in :kuri and :kuri-bind." :kuri-serde-kotlinx also declares a jvm {} target (kuri-serde-kotlinx/build.gradle.kts:36) with real production Kotlin source (QueryParametersFormat.kt, QueryEncoder.kt, QueryDecoder.kt, Serializers.kt).
Because the workflow invokes ./gradlew compileKotlinJvm unqualified (not scoped to a specific project), Gradle runs the task in every module that has it — including kuri-serde-kotlinx. git history shows this comment predates the kuri-serde-kotlinx module and was never updated after it was added.
Impact
A security reviewer auditing what CodeQL actually covers reads the comment, concludes the kotlinx-serialization integration module is outside the SAST surface, and either skips reviewing it directly or files an unnecessary "serde module isn't scanned" report — when it in fact is. Conversely, if kuri-serde-kotlinx were ever changed to a native-only target (dropping its jvm {} block), the stale comment would give no signal that CodeQL coverage had actually changed, since it never mentioned the module in the first place.
Suggested fix
Update the comment to list all three JVM-target modules currently compiled and scanned.
Problem
.github/workflows/codeql.yml:74(and the related comment at:7) states that the manual build step's./gradlew compileKotlinJvm"runs in:kuriand:kuri-bind.":kuri-serde-kotlinxalso declares ajvm {}target (kuri-serde-kotlinx/build.gradle.kts:36) with real production Kotlin source (QueryParametersFormat.kt,QueryEncoder.kt,QueryDecoder.kt,Serializers.kt).Because the workflow invokes
./gradlew compileKotlinJvmunqualified (not scoped to a specific project), Gradle runs the task in every module that has it — includingkuri-serde-kotlinx.githistory shows this comment predates thekuri-serde-kotlinxmodule and was never updated after it was added.Impact
A security reviewer auditing what CodeQL actually covers reads the comment, concludes the kotlinx-serialization integration module is outside the SAST surface, and either skips reviewing it directly or files an unnecessary "serde module isn't scanned" report — when it in fact is. Conversely, if
kuri-serde-kotlinxwere ever changed to a native-only target (dropping itsjvm {}block), the stale comment would give no signal that CodeQL coverage had actually changed, since it never mentioned the module in the first place.Suggested fix
Update the comment to list all three JVM-target modules currently compiled and scanned.