Kotlin: "CodeQL currently supports versions below 2.1.10"

[spyro2000]

Is there any update planed on this? Why is 2.1.9 ok, but 2.1.10 is breaking...?
For whatever reason, the Kotlin team decided to go from 2.1 directly to 2.1.10. Next one will bei 2.1.20. Each incremental step will break CodeQL again, correct?

[spyro2000]

Never mind, seems like our TI just uses an outdated version (AFAIK 2.1.10 should work according to https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/ it's "2.1.2x")

Update: They use indeed the newest version, now I am confused why this breaks Sonar.

[edgarvonk]

We are running into the same issue and we are using the most recent version of the CodeQL GitHub action (v3.28.5).

[edgarvonk]

This issue started occurring for us when we upgraded from Kotlin 2.1.0 to 2.1.10. As said the CodeQL GitHub action we use is that latest (v3.28.5). Part of the stacktrace from our GitHub CodeQL workflow:

  [2025-01-27 10:28:36] [autobuild] e: com.semmle.extractor.java.interceptors.KotlinInterceptor$KotlinVersionTooRecentError: Kotlin version 2.1.10 is too recent. CodeQL currently supports versions below 2.1.10
  [2025-01-27 10:28:36] [autobuild] 	at com.semmle.extractor.java.interceptors.KotlinInterceptor.getExtractorJarPath(KotlinInterceptor.java:247)
  [2025-01-27 10:28:36] [autobuild] 	at com.semmle.extractor.java.interceptors.KotlinInterceptor.beforeKotlinExecute(KotlinInterceptor.java:589)
  [2025-01-27 10:28:36] [autobuild] 	at org.jetbrains.kotlin.cli.jvm.K2JVMCompiler.SEMMLE_INTERCEPT$0(K2JVMCompiler.kt)

[rvermeulen]

Hi @edgarvonk,

Kotlin 3.1.0 should be supported since CodeQL version 2.19.1.
This is incorrect, we haven't shipped it yet.
Could you share the CodeQL version used in your workflow?

[jacq42]

Hi @rvermeulen,

we run into the same issue.

We use CodeQL with the latest GitHub CodeQL Action:

github/codeql-action/init@v3
github/codeql-action/analyze@v3

That uses CodeQL version 2.20.3:
Using CodeQL CLI version 2.20.3 sourced from https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.20.3/codeql-bundle-linux64.tar.zst .

[edgarvonk]

Hi @rvermeulen , same as above. Our CodeQL GitHub workflow uses CodeQL version 2.20.3 looking at the logs:

CODEQL_JAVA_HOME: /opt/hostedtoolcache/CodeQL/2.20.3/x64/codeql/tools/linux64/java

ps: you mean Kotlin 2.1.10 I think?

[edgarvonk]

This is our GitHub CodeQL workflow step just to be complete:

    analyze:
    name: Analyze
    runs-on: ubuntu-24.04
    needs: paths-ignore
    if: ${{ needs.paths-ignore.outputs.skip != 'true' }}
    permissions:
      actions: read
      contents: read
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        language: ["java-kotlin", "javascript-typescript", "actions"]
    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Setup JDK
        if: matrix.language == 'java-kotlin'
        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
        with:
          java-version: ${{ env.JAVA_VERSION }}
          distribution: "temurin"

      - name: Setup Gradle
        if: matrix.language == 'java-kotlin'
        uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2

      - name: Initialize CodeQL
        uses: github/codeql-action/init@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
        with:
          languages: ${{ matrix.language }}

      - name: Autobuild
        uses: github/codeql-action/autobuild@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
        with:
          category: "/language:${{matrix.language}}"

[edgarvonk]

PS: a new CodeQL GitHub Action just came out (v3.28.6). I don't see anything related to this issue in the commit log however.

[rvermeulen]

Hi @rvermeulen , same as above. Our CodeQL GitHub workflow uses CodeQL version 2.20.3 looking at the logs:

CODEQL_JAVA_HOME: /opt/hostedtoolcache/CodeQL/2.20.3/x64/codeql/tools/linux64/java

ps: you mean Kotlin 2.1.10 I think?

I did mean 2.1.10

[rvermeulen]

I have corrected my previous statement around support for 2.1.10. It seems we haven't shipped it yet. Will respond shortly whether we can use a workaround until the next release of our CodeQL CLI that should ship with support for up to 2.1.2X

[spyro2000]

@rvermeulen: So this will break again for Kotlin 2.1.20 and 2.1.30? Why is support even restricted on patch (!) level? This could even prevent users from installing security fixes for the compiler. And why will it break the process alltogether, even if there isn't any sort of incompatibility? Wouldn't warning not be enough until this is sorted out? Feels like a ticking timebomb each time..

[sschuberth]

Why is support even restricted on patch (!) level?

Good question. I've proposed here already to relax the version check in that regard.

[Yolgie]

@sschuberth @spyro2000 @rvermeulen i've created a new issue for this #18624

[rvermeulen]

@spyro2000 good question. Let me inquire why we have such a restriction on the patch level.

[rvermeulen]

There was a new release of the CodeQL Action that adds support for Kotlin 2.1.10 https://github.com/github/codeql-action/blob/v3.28.8/CHANGELOG.md#3288---29-jan-2025.

[spyro2000]

Thank you @rvermeulen,

will this break again for Kotlin 2.1.20, 2.1.30 etc?

[igfoo]

Sorry for the failures; this should be fixed now. Please let us know if you're still seeing problems.

Wouldn't warning not be enough until this is sorted out?
will this break again for Kotlin 2.1.20, 2.1.30 etc?

In general, if the 10s digit changes then APIs that we use might have changed, so just warning isn't an option.

We aim to have support for new versions out before the Kotlin release is made, but unfortunately we didn't quite make it this time.