Merge pull request #21986 from JarLob/userpermissions

Actions: Fix dominates() false positive in reusable workflows

MODULE.bazel

@@ -248,6 +248,7 @@ use_repo(
     "kotlin-compiler-2.2.20-Beta2",
     "kotlin-compiler-2.3.0",
     "kotlin-compiler-2.3.20",
+    "kotlin-compiler-2.4.0",
     "kotlin-compiler-embeddable-1.8.0",
     "kotlin-compiler-embeddable-1.9.0-Beta",
     "kotlin-compiler-embeddable-1.9.20-Beta",
@@ -259,6 +260,7 @@ use_repo(
     "kotlin-compiler-embeddable-2.2.20-Beta2",
     "kotlin-compiler-embeddable-2.3.0",
     "kotlin-compiler-embeddable-2.3.20",
+    "kotlin-compiler-embeddable-2.4.0",
     "kotlin-stdlib-1.8.0",
     "kotlin-stdlib-1.9.0-Beta",
     "kotlin-stdlib-1.9.20-Beta",
@@ -270,6 +272,7 @@ use_repo(
     "kotlin-stdlib-2.2.20-Beta2",
     "kotlin-stdlib-2.3.0",
     "kotlin-stdlib-2.3.20",
+    "kotlin-stdlib-2.4.0",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")

actions/ql/lib/change-notes/2026-06-15-permission_check.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.

actions/ql/lib/codeql/actions/security/ControlChecks.qll

@@ -42,6 +42,15 @@ string actor_not_attacker_event() {
     ]
 }
 
+/**
+ * Gets the outer caller of `ej`, i.e. the `ExternalJob` that calls the
+ * reusable workflow containing `ej`. Used with transitive closure to
+ * walk up nested reusable workflow chains.
+ */
+private ExternalJob getAnOuterCaller(ExternalJob ej) {
+  result = ej.getEnclosingWorkflow().(ReusableWorkflow).getACaller()
+}
+
 /** An If node that contains an actor, user or label check */
 abstract class ControlCheck extends AstNode {
   ControlCheck() {
@@ -53,43 +62,170 @@ abstract class ControlCheck extends AstNode {
 
   predicate protects(AstNode node, Event event, string category) {
     // The check dominates the step it should protect
-    this.dominates(node) and
+    this.dominates(node, event) and
     // The check is effective against the event and category
     this.protectsCategoryAndEvent(category, event.getName()) and
     // The check can be triggered by the event
-    this.getATriggerEvent() = event
+    this.getATriggerEvent() = event and
+    // For reusable workflows, there must be no unprotected caller chain for this event.
+    (
+      not node.getEnclosingWorkflow() instanceof ReusableWorkflow
+      or
+      this.dominatesSameWorkflow(node, event)
+      or
+      not exists(ExternalJob directCaller |
+        directCaller = node.getEnclosingWorkflow().(ReusableWorkflow).getACaller() and
+        unprotectedCallerChain(directCaller, event, category)
+      )
+    )
   }
 
-  predicate dominates(AstNode node) {
+  /**
+   * Holds if this control check must execute and pass before `node` can run.
+   */
+  predicate dominates(AstNode node, Event event) {
+    this.dominatesSameWorkflow(node, event)
+    or
+    // When the node is inside a reusable workflow,
+    // this check dominates via at least one caller chain.
+    this.dominatesViaCaller(node, event, _)
+  }
+
+  /**
+   * Holds if this control check dominates `node` within the same workflow.
+   */
+  predicate dominatesSameWorkflow(AstNode node, Event event) {
+    this.getATriggerEvent() = event and
+    (
+      // Step-level: the check is an `if:` on the step containing `node`,
+      // or on the enclosing job, or on a needed job/step.
+      this instanceof If and
+      (
+        node.getEnclosingStep().getIf() = this or
+        node.getEnclosingJob().getIf() = this or
+        node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
+        node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
+      )
+      or
+      // Job-level: the check is an environment on the enclosing job or a needed job.
+      this instanceof Environment and
+      (
+        node.getEnclosingJob().getEnvironment() = this
+        or
+        node.getEnclosingJob().getANeededJob().getEnvironment() = this
+      )
+      or
+      // Step-level: the check is a Run/UsesStep that precedes `node`'s step
+      // in the same job, or is a step in a needed job.
+      (
+        this instanceof Run or
+        this instanceof UsesStep
+      ) and
+      (
+        this.(Step).getAFollowingStep() = node.getEnclosingStep()
+        or
+        node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this
+      )
+    )
+  }
+
+  /**
+   * Holds if this control check dominates `node` in a reusable workflow
+   * via the caller chain starting at `directCaller`.
+   */
+  predicate dominatesViaCaller(AstNode node, Event event, ExternalJob directCaller) {
+    directCaller = node.getEnclosingWorkflow().(ReusableWorkflow).getACaller() and
+    directCaller.getATriggerEvent() = event and
+    exists(ExternalJob caller |
+      caller = getAnOuterCaller*(directCaller) and
+      this.dominatesCaller(caller)
+    )
+  }
+
+  /**
+   * Holds if this control check directly dominates `caller`.
+   */
+  predicate dominatesCaller(ExternalJob caller) {
     this instanceof If and
     (
-      node.getEnclosingStep().getIf() = this or
+      caller.getIf() = this or
-      node.getEnclosingJob().getIf() = this or
+      caller.getANeededJob().(LocalJob).getIf() = this or
-      node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
+      caller.getANeededJob().(LocalJob).getAStep().getIf() = this
-      node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
     )
     or
     this instanceof Environment and
     (
-      node.getEnclosingJob().getEnvironment() = this
+      caller.getEnvironment() = this or
-      or
+      caller.getANeededJob().getEnvironment() = this
-      node.getEnclosingJob().getANeededJob().getEnvironment() = this
     )
     or
-    (
+    (this instanceof Run or this instanceof UsesStep) and
-      this instanceof Run or
+    caller.getANeededJob().(LocalJob).getAStep() = this
-      this instanceof UsesStep
-    ) and
-    (
-      this.(Step).getAFollowingStep() = node.getEnclosingStep()
-      or
-      node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step)
-    )
   }
 
   abstract predicate protectsCategoryAndEvent(string category, string event);
 }
 
+/**
+ * Holds if this control check directly protects `caller`.
+ */
+bindingset[caller, event, category]
+private predicate protectedCaller(ExternalJob caller, Event event, string category) {
+  exists(ControlCheck check |
+    check.protectsCategoryAndEvent(category, event.getName()) and
+    check.getATriggerEvent() = event and
+    check.dominatesCaller(caller)
+  )
+}
+
+cached
+private newtype TCallerState =
+  MkCallerState(ExternalJob caller, Event event, string category) {
+    caller.getATriggerEvent() = event and
+    category = any_category()
+  }
+
+private class CallerState extends TCallerState, MkCallerState {
+  ExternalJob caller;
+  Event event;
+  string category;
+
+  CallerState() { this = MkCallerState(caller, event, category) }
+
+  ExternalJob getCaller() { result = caller }
+
+  Event getEvent() { result = event }
+
+  string getCategory() { result = category }
+
+  /**
+   * Gets an outer caller state if this caller is not protected.
+   */
+  CallerState getUnprotectedOuterState() {
+    not protectedCaller(this.getCaller(), this.getEvent(), this.getCategory()) and
+    result = MkCallerState(getAnOuterCaller(this.getCaller()), this.getEvent(), this.getCategory())
+  }
+
+  predicate isUnprotectedOutermost() {
+    not protectedCaller(this.getCaller(), this.getEvent(), this.getCategory()) and
+    not exists(getAnOuterCaller(this.getCaller()))
+  }
+
+  string toString() { result = caller + " / " + event + " / " + category }
+}
+
+/**
+ * Holds if there is a caller path from `caller` to an outer workflow that has no protection.
+ */
+bindingset[caller, event, category]
+private predicate unprotectedCallerChain(ExternalJob caller, Event event, string category) {
+  exists(CallerState start, CallerState outermost |
+    start = MkCallerState(caller, event, category) and
+    outermost = start.getUnprotectedOuterState*() and
+    outermost.isUnprotectedOutermost()
+  )
+}
+
 abstract class AssociationCheck extends ControlCheck {
   // Checks if the actor is a MEMBER/OWNER the repo
   // - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR

actions/ql/src/Security/CWE-285/ImproperAccessControl.ql

@@ -18,7 +18,7 @@ from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event even
 where
   job.isPrivileged() and
   job.getAStep() = checkout and
-  check.dominates(checkout) and
+  check.dominates(checkout, event) and
   (
     job.getATriggerEvent() = event and
     event.getName() = "pull_request_target" and

actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql

@@ -34,8 +34,8 @@ where
         check instanceof AssociationCheck or
         check instanceof PermissionCheck
       ) and
-      check.dominates(checkout) and
+      check.dominates(checkout, event) and
-      date_check.dominates(checkout)
+      date_check.dominates(checkout, event)
     )
     or
     // not issue_comment triggered workflows

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml

@@ -0,0 +1,17 @@
+on:
+  workflow_call:
+    inputs:
+      COMMIT_SHA:
+        type: string
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.COMMIT_SHA }}
+      - run: |
+          npm install
+          npm run lint
+      

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested.yml

@@ -0,0 +1,13 @@
+on:
+  workflow_call:
+    inputs:
+      COMMIT_SHA:
+        type: string
+
+jobs:
+  build:
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
+
+      

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml

@@ -0,0 +1,33 @@
+on:
+  workflow_call:
+    inputs:
+      COMMIT_SHA:
+        type: string
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build_safe:
+    needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
+    with:
+      COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
+  build_unsafe:
+    uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
+    with:
+      COMMIT_SHA: ${{ inputs.COMMIT_SHA }}

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_no_needs.yml

@@ -0,0 +1,31 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build:
+    runs-on: ubuntu-latest
+    #needs: is-collaborator Mistake, doesn't wait for the collaborator - no security check
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }} # should alert
+          fetch-depth: 2
+      - run: yarn test

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permission_check_reusable.yml

@@ -0,0 +1,26 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build:
+    needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permission_check_reusable2.yml

@@ -0,0 +1,31 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build_unsafe:
+    # needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # should alert since no permission check
+  build_safe:
+    needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permission_check_reusable_branching_nested.yml

@@ -0,0 +1,8 @@
+on:
+  pull_request_target:
+
+jobs:
+  build:
+    uses: TestOrg/TestRepo/.github/workflows/build_nested_branching.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }}

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permission_check_reusable_level2.yml

@@ -0,0 +1,26 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build:
+    needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml

@@ -0,0 +1,26 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build:
+    # needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }}

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permissions_check.yml

@@ -0,0 +1,41 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build:
+    runs-on: ubuntu-latest
+    needs: is-collaborator
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
+          fetch-depth: 2
+      - run: yarn test
+  build_unsafe:
+    runs-on: ubuntu-latest
+    # needs: is-collaborator
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }} # should alert since no permission check
+          fetch-depth: 2
+      - run: yarn test

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_two_callers_both_protected.yml

@@ -0,0 +1,48 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator-a:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  caller-a:
+    needs: is-collaborator-a
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
+  is-collaborator-b:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  caller-b:
+    needs: is-collaborator-b
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }}

actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected

@@ -93,6 +93,8 @@ edges
 | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step |
 | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone |
 | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml:11:9:19:6 | Uses Step: checkAccess | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml:19:9:25:2 | Run Step |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step |
@@ -334,6 +336,17 @@ edges
 | .github/workflows/untrusted_checkout_6.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step |
 | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step |
 | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:21:9:23:23 | Run Step |
+| .github/workflows/untrusted_checkout_no_needs.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_no_needs.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:31:9:31:23 | Run Step |
+| .github/workflows/untrusted_checkout_permission_check_reusable2.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable2.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_permission_check_reusable.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_permission_check_reusable_level2.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable_level2.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_permissions_check.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permissions_check.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_permissions_check.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:31:9:32:2 | Run Step |
+| .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:41:9:41:22 | Run Step |
+| .github/workflows/untrusted_checkout_two_callers_both_protected.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_two_callers_both_protected.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_two_callers_both_protected.yml:30:9:38:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_two_callers_both_protected.yml:38:9:44:2 | Run Step |
 | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step |
 | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step |
 | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
@@ -344,6 +357,9 @@ edges
 | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
 | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
 | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable2.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable_branching_nested.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:2:3:2:21 | pull_request_target | pull_request_target |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
 | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
@@ -377,3 +393,5 @@ edges
 | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
 | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
 | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:31:9:31:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_no_needs.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:41:9:41:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permissions_check.yml:2:3:2:21 | pull_request_target | pull_request_target |

csharp/ql/src/Dead Code/DeadStoreOfLocal.ql

@@ -14,54 +14,6 @@
 
 import csharp
 
-/**
- * Gets a callable that either directly captures local variable `v`, or which
- * is enclosed by the callable that declares `v` and encloses a callable that
- * captures `v`.
- */
-Callable getACapturingCallableAncestor(LocalVariable v) {
-  result = v.getACapturingCallable()
-  or
-  exists(Callable mid | mid = getACapturingCallableAncestor(v) |
-    result = mid.getEnclosingCallable() and
-    not v.getEnclosingCallable() = result
-  )
-}
-
-Expr getADelegateExpr(Callable c) {
-  c = result.(CallableAccess).getTarget()
-  or
-  result = c.(AnonymousFunctionExpr)
-}
-
-/**
- * Holds if `c` is a call where any delegate argument is evaluated immediately.
- */
-predicate nonEscapingCall(Call c) {
-  exists(string name | c.getTarget().hasName(name) |
-    name =
-      [
-        "ForEach", "Count", "Any", "All", "Average", "Aggregate", "First", "Last", "FirstOrDefault",
-        "LastOrDefault", "LongCount", "Max", "Single", "SingleOrDefault", "Sum"
-      ]
-  )
-}
-
-/**
- * Holds if `v` is a captured local variable, and one of the callables capturing
- * `v` may escape the local scope.
- */
-predicate mayEscape(LocalVariable v) {
-  exists(Callable c, Expr e, Expr succ | c = getACapturingCallableAncestor(v) |
-    e = getADelegateExpr(c) and
-    DataFlow::localExprFlow(e, succ) and
-    not succ = any(DelegateCall dc).getExpr() and
-    not succ = any(Cast cast).getExpr() and
-    not succ = any(Call call | nonEscapingCall(call)).getAnArgument() and
-    not succ = any(AssignableDefinition ad | ad.getTarget() instanceof LocalVariable).getSource()
-  )
-}
-
 class RelevantDefinition extends AssignableDefinition {
   RelevantDefinition() {
     this.(AssignableDefinitions::AssignmentDefinition).getAssignment() =
@@ -94,8 +46,6 @@ class RelevantDefinition extends AssignableDefinition {
       // SSA definitions are only created for live variables
       this = any(SsaExplicitWrite ssaDef).getDefinition()
       or
-      mayEscape(v)
-      or
       v.isCaptured()
     )
   }

docs/codeql/reusables/supported-versions-compilers.rst

@@ -21,7 +21,7 @@
    Java,"Java 7 to 26 [6]_","javac (OpenJDK and Oracle JDK),
 
    Eclipse compiler for Java (ECJ) [7]_",``.java``
-   Kotlin,"Kotlin 1.8.0 to 2.3.2\ *x*","kotlinc",``.kt``
+   Kotlin,"Kotlin 1.8.0 to 2.4.0\ *x*","kotlinc",``.kt``
    JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [8]_"
    Python [9]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13",Not applicable,``.py``
    Ruby [10]_,"up to 3.3",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"

java/kotlin-extractor/BUILD.bazel

@@ -53,6 +53,10 @@ _extractor_name_prefix = "%s-%s" % (
     "embeddable" if _for_embeddable else "standalone",
 )
 
+_compiler_plugin_registrar_service_source = "src/main/resources/META-INF/services/org.jetbrains.kotlin.compiler.plugin.CompilerPluginRegistrar"
+
+_compiler_plugin_registrar_service_target = "META-INF/services/org.jetbrains.kotlin.compiler.plugin.CompilerPluginRegistrar"
+
 py_binary(
     name = "generate_dbscheme",
     srcs = ["generate_dbscheme.py"],
@@ -64,8 +68,14 @@ _resources = [
         r[len("src/main/resources/"):],
     )
     for r in glob(["src/main/resources/**"])
+    if r != _compiler_plugin_registrar_service_source
 ]
 
+_compiler_plugin_registrar_service = (
+    _compiler_plugin_registrar_service_source,
+    _compiler_plugin_registrar_service_target,
+)
+
 kt_javac_options(
     name = "javac-options",
     release = "8",
@@ -91,19 +101,32 @@ kt_javac_options(
         # * `resource_strip_prefix` is unique per jar, so we must also put other resources under the same version prefix
         genrule(
             name = "resources-%s" % v,
-            srcs = [src for src, _ in _resources],
+            srcs = [src for src, _ in _resources] + (
+                [_compiler_plugin_registrar_service[0]] if not version_less(v, "2.4.0") else []
+            ),
             outs = [
                 "%s/com/github/codeql/extractor.name" % v,
             ] + [
                 "%s/%s" % (v, target)
                 for _, target in _resources
-            ],
+            ] + (
+                ["%s/%s" % (
+                    v,
+                    _compiler_plugin_registrar_service[1],
+                )] if not version_less(v, "2.4.0") else []
+            ),
             cmd = "\n".join([
                 "echo %s-%s > $(RULEDIR)/%s/com/github/codeql/extractor.name" % (_extractor_name_prefix, v, v),
             ] + [
                 "cp $(execpath %s) $(RULEDIR)/%s/%s" % (source, v, target)
                 for source, target in _resources
-            ]),
+            ] + (
+                ["cp $(execpath %s) $(RULEDIR)/%s/%s" % (
+                    _compiler_plugin_registrar_service[0],
+                    v,
+                    _compiler_plugin_registrar_service[1],
+                )] if not version_less(v, "2.4.0") else []
+            )),
         ),
         kt_jvm_library(
             name = "%s-%s" % (_extractor_name_prefix, v),

java/kotlin-extractor/dev/wrapper.py

@@ -27,7 +27,7 @@ import shutil
 import io
 import os
 
-DEFAULT_VERSION = "2.3.20"
+DEFAULT_VERSION = "2.4.0"
 
 
 def options():

java/kotlin-extractor/src/main/kotlin/KotlinExtractorComponentRegistrar.kt

@@ -3,32 +3,21 @@
 
 package com.github.codeql
 
-import com.intellij.mock.MockProject
-import com.intellij.openapi.extensions.LoadingOrder
-import org.jetbrains.kotlin.backend.common.extensions.IrGenerationExtension
 import org.jetbrains.kotlin.config.CompilerConfiguration
 
 class KotlinExtractorComponentRegistrar : Kotlin2ComponentRegistrar() {
-    override fun registerProjectComponents(
+    override fun doRegisterExtensions(configuration: CompilerConfiguration) {
-        project: MockProject,
-        configuration: CompilerConfiguration
-    ) {
         val invocationTrapFile = configuration[KEY_INVOCATION_TRAP_FILE]
         if (invocationTrapFile == null) {
             throw Exception("Required argument for TRAP invocation file not given")
         }
-        // Register with LoadingOrder.LAST to ensure the extractor runs after other
+        registerExtractorExtension(
-        // IR generation plugins (like kotlinx.serialization) have generated their code.
-        val extensionPoint = project.extensionArea.getExtensionPoint(IrGenerationExtension.extensionPointName)
-        extensionPoint.registerExtension(
             KotlinExtractorExtension(
                 invocationTrapFile,
                 configuration[KEY_CHECK_TRAP_IDENTICAL] ?: false,
                 configuration[KEY_COMPILATION_STARTTIME],
                 configuration[KEY_EXIT_AFTER_EXTRACTION] ?: false
-            ),
+            )
-            LoadingOrder.LAST,
-            project
         )
     }
 }

java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt

@@ -173,9 +173,9 @@ open class KotlinFileExtractor(
         when (d) {
             is IrFunction ->
                 when (d.name.asString()) {
-                    "toString" -> d.valueParameters.isEmpty()
+                    "toString" -> d.codeQlValueParameters.isEmpty()
-                    "hashCode" -> d.valueParameters.isEmpty()
+                    "hashCode" -> d.codeQlValueParameters.isEmpty()
-                    "equals" -> d.valueParameters.singleOrNull()?.type?.isNullableAny() ?: false
+                    "equals" -> d.codeQlValueParameters.singleOrNull()?.type?.isNullableAny() ?: false
                     else -> false
                 } && isJavaBinaryDeclaration(d)
             else -> false
@@ -721,7 +721,7 @@ open class KotlinFileExtractor(
             (it.type as? IrSimpleType)?.classFqName?.asString() != "kotlin.Deprecated"
         } +
             // Note we lose any arguments to @java.lang.Deprecated that were written in source.
-            IrConstructorCallImpl.fromSymbolOwner(
+            codeQlAnnotationFromSymbolOwner(
                 UNDEFINED_OFFSET,
                 UNDEFINED_OFFSET,
                 jldConstructor.returnType,
@@ -781,13 +781,13 @@ open class KotlinFileExtractor(
         val locId = tw.getLocation(constructorCall)
         tw.writeHasLocation(id, locId)
 
-        for (i in 0 until constructorCall.valueArgumentsCount) {
+        for (i in 0 until constructorCall.codeQlValueArgumentsCount) {
-            val param = constructorCall.symbol.owner.valueParameters[i]
+            val param = constructorCall.symbol.owner.codeQlValueParameters[i]
             val prop =
                 constructorCall.symbol.owner.parentAsClass.declarations
                     .filterIsInstance<IrProperty>()
                     .first { it.name == param.name }
-            val v = constructorCall.getValueArgument(i) ?: param.defaultValue?.expression
+            val v = constructorCall.codeQlGetValueArgument(i) ?: param.defaultValue?.expression
             val getter = prop.getter
             if (getter == null) {
                 logger.warnElement("Expected annotation property to define a getter", prop)
@@ -1115,9 +1115,9 @@ open class KotlinFileExtractor(
                         returnId,
                         0,
                         returnId,
-                        f.valueParameters.size,
+                        f.codeQlValueParameters.size,
                         { argParent, idxOffset ->
-                            f.valueParameters.forEachIndexed { idx, param ->
+                            f.codeQlValueParameters.forEachIndexed { idx, param ->
                                 val syntheticParamId = useValueParameter(param, proxyFunctionId)
                                 extractVariableAccess(
                                     syntheticParamId,
@@ -1695,9 +1695,9 @@ open class KotlinFileExtractor(
                             returnId,
                             0,
                             returnId,
-                            f.valueParameters.size,
+                            f.codeQlValueParameters.size,
                             { argParentId, idxOffset ->
-                                f.valueParameters.mapIndexed { idx, param ->
+                                f.codeQlValueParameters.mapIndexed { idx, param ->
                                     val syntheticParamId = useValueParameter(param, functionId)
                                     extractVariableAccess(
                                         syntheticParamId,
@@ -1792,7 +1792,7 @@ open class KotlinFileExtractor(
         extractBody: Boolean,
         extractMethodAndParameterTypeAccesses: Boolean
     ) {
-        if (f.valueParameters.none { it.defaultValue != null }) return
+        if (f.codeQlValueParameters.none { it.defaultValue != null }) return
 
         val id = getDefaultsMethodLabel(f)
         if (id == null) {
@@ -1800,7 +1800,7 @@ open class KotlinFileExtractor(
             return
         }
         val locId = getLocation(f, null)
-        val extReceiver = f.extensionReceiverParameter
+        val extReceiver = f.codeQlExtensionReceiverParameter
         val dispatchReceiver = if (f.shouldExtractAsStatic) null else f.dispatchReceiverParameter
         val parameterTypes = getDefaultsMethodArgTypes(f)
         val allParamTypeResults =
@@ -1869,7 +1869,7 @@ open class KotlinFileExtractor(
         tw.writeCompiler_generated(id, CompilerGeneratedKinds.DEFAULT_ARGUMENTS_METHOD.kind)
 
         if (extractBody) {
-            val nonSyntheticParams = listOfNotNull(dispatchReceiver) + f.valueParameters
+            val nonSyntheticParams = listOfNotNull(dispatchReceiver) + f.codeQlValueParameters
             // This stack entry represents as if we're extracting the 'real' function `f`, giving
             // the indices of its non-synthetic parameters
             // such that when we extract the default expressions below, any reference to f's nth
@@ -1895,12 +1895,12 @@ open class KotlinFileExtractor(
                     val realParamsVarId = getValueParameterLabel(id, parameterTypes.size - 2)
                     val intType = pluginContext.irBuiltIns.intType
                     val paramIdxOffset =
-                        listOf(dispatchReceiver, f.extensionReceiverParameter).count { it != null }
+                        listOf(dispatchReceiver, f.codeQlExtensionReceiverParameter).count { it != null }
                     extractBlockBody(id, locId).also { blockId ->
                         var nextStmt = 0
                         // For each parameter with a default, sub in the default value if the caller
                         // hasn't supplied a value:
-                        f.valueParameters.forEachIndexed { paramIdx, param ->
+                        f.codeQlValueParameters.forEachIndexed { paramIdx, param ->
                             val defaultVal = param.defaultValue
                             if (defaultVal != null) {
                                 extractIfStmt(locId, blockId, nextStmt++, id).also { ifId ->
@@ -1975,7 +1975,7 @@ open class KotlinFileExtractor(
                                     id
                                 )
                                 tw.writeHasLocation(thisCallId, locId)
-                                f.valueParameters.forEachIndexed { idx, param ->
+                                f.codeQlValueParameters.forEachIndexed { idx, param ->
                                     extractVariableAccess(
                                         tw.getLabelFor<DbParam>(getValueParameterLabel(id, idx)),
                                         param.type,
@@ -2003,9 +2003,9 @@ open class KotlinFileExtractor(
                                     )
                                     .also { thisCallId ->
                                         val realFnIdxOffset =
-                                            if (f.extensionReceiverParameter != null) 1 else 0
+                                            if (f.codeQlExtensionReceiverParameter != null) 1 else 0
                                         val paramMappings =
-                                            f.valueParameters.mapIndexed { idx, param ->
+                                            f.codeQlValueParameters.mapIndexed { idx, param ->
                                                 Triple(
                                                     param.type,
                                                     idx + paramIdxOffset,
@@ -2156,7 +2156,7 @@ open class KotlinFileExtractor(
                         val dispatchReceiver =
                             f.dispatchReceiverParameter?.let { IrGetValueImpl(-1, -1, it.symbol) }
                         val extensionReceiver =
-                            f.extensionReceiverParameter?.let { IrGetValueImpl(-1, -1, it.symbol) }
+                            f.codeQlExtensionReceiverParameter?.let { IrGetValueImpl(-1, -1, it.symbol) }
 
                         extractExpressionBody(overloadId, realFunctionLocId).also { returnId ->
                             extractsDefaultsCall(
@@ -2180,28 +2180,28 @@ open class KotlinFileExtractor(
         if (!f.hasAnnotation(jvmOverloadsFqName)) {
             if (
                 f is IrConstructor &&
-                    f.valueParameters.isNotEmpty() &&
+                    f.codeQlValueParameters.isNotEmpty() &&
-                    f.valueParameters.all { it.defaultValue != null } &&
+                    f.codeQlValueParameters.all { it.defaultValue != null } &&
                     f.parentClassOrNull?.let {
                         // Don't create a default constructor for an annotation class, or a class
                         // that explicitly declares a no-arg constructor.
                         !it.isAnnotationClass &&
                             it.declarations.none { d ->
-                                d is IrConstructor && d.valueParameters.isEmpty()
+                                d is IrConstructor && d.codeQlValueParameters.isEmpty()
                             }
                     } == true
             ) {
                 // Per https://kotlinlang.org/docs/classes.html#creating-instances-of-classes, a
                 // single default overload gets created specifically
                 // when we have all default parameters, regardless of `@JvmOverloads`.
-                extractGeneratedOverload(f.valueParameters.map { _ -> null })
+                extractGeneratedOverload(f.codeQlValueParameters.map { _ -> null })
             }
             return
         }
 
-        val paramList: MutableList<IrValueParameter?> = f.valueParameters.toMutableList()
+        val paramList: MutableList<IrValueParameter?> = f.codeQlValueParameters.toMutableList()
-        for (n in (f.valueParameters.size - 1) downTo 0) {
+        for (n in (f.codeQlValueParameters.size - 1) downTo 0) {
-            if (f.valueParameters[n].defaultValue != null) {
+            if (f.codeQlValueParameters[n].defaultValue != null) {
                 paramList[n] = null // Remove this parameter, to be replaced by a default value
                 extractGeneratedOverload(paramList)
             }
@@ -2327,7 +2327,7 @@ open class KotlinFileExtractor(
             getClassByFqName(pluginContext, it)?.let { annotationClass ->
                 annotationClass.owner.declarations.firstIsInstanceOrNull<IrConstructor>()?.let {
                     annotationConstructor ->
-                    IrConstructorCallImpl.fromSymbolOwner(
+                    codeQlAnnotationFromSymbolOwner(
                         UNDEFINED_OFFSET,
                         UNDEFINED_OFFSET,
                         annotationConstructor.returnType,
@@ -2388,13 +2388,13 @@ open class KotlinFileExtractor(
                             id
                         }
 
-                val extReceiver = f.extensionReceiverParameter
+                val extReceiver = f.codeQlExtensionReceiverParameter
                 // The following parameter order is correct, because member $default methods (where
                 // the order would be [dispatchParam], [extensionParam], normalParams) are not
                 // extracted here
                 val fParameters =
                     listOfNotNull(extReceiver) +
-                        (overriddenAttributes?.valueParameters ?: f.valueParameters)
+                        (overriddenAttributes?.valueParameters ?: f.codeQlValueParameters)
                 val paramTypes =
                     fParameters.mapIndexed { i, vp ->
                         extractValueParameter(
@@ -3069,14 +3069,14 @@ open class KotlinFileExtractor(
             logger.errorElement("Unexpected dispatch receiver found", c)
         }
 
-        if (c.valueArgumentsCount < 1) {
+        if (c.codeQlValueArgumentsCount < 1) {
             logger.errorElement("No arguments found", c)
             return
         }
 
         extractArgument(id, c, callable, enclosingStmt, 0, "Operand null")
 
-        if (c.valueArgumentsCount > 1) {
+        if (c.codeQlValueArgumentsCount > 1) {
             logger.errorElement("Extra arguments found", c)
         }
     }
@@ -3095,21 +3095,21 @@ open class KotlinFileExtractor(
             logger.errorElement("Unexpected dispatch receiver found", c)
         }
 
-        if (c.valueArgumentsCount < 1) {
+        if (c.codeQlValueArgumentsCount < 1) {
             logger.errorElement("No arguments found", c)
             return
         }
 
         extractArgument(id, c, callable, enclosingStmt, 0, "LHS null")
 
-        if (c.valueArgumentsCount < 2) {
+        if (c.codeQlValueArgumentsCount < 2) {
             logger.errorElement("No RHS found", c)
             return
         }
 
         extractArgument(id, c, callable, enclosingStmt, 1, "RHS null")
 
-        if (c.valueArgumentsCount > 2) {
+        if (c.codeQlValueArgumentsCount > 2) {
             logger.errorElement("Extra arguments found", c)
         }
     }
@@ -3122,7 +3122,7 @@ open class KotlinFileExtractor(
         idx: Int,
         msg: String
     ) {
-        val op = c.getValueArgument(idx)
+        val op = c.codeQlGetValueArgument(idx)
         if (op == null) {
             logger.errorElement(msg, c)
         } else {
@@ -3267,8 +3267,8 @@ open class KotlinFileExtractor(
         // and which should be replaced by defaults. The final Object parameter is apparently always
         // null.
         (listOfNotNull(if (f.shouldExtractAsStatic) null else f.dispatchReceiverParameter?.type) +
-                listOfNotNull(f.extensionReceiverParameter?.type) +
+                listOfNotNull(f.codeQlExtensionReceiverParameter?.type) +
-                f.valueParameters.map { it.type } +
+                f.codeQlValueParameters.map { it.type } +
                 listOf(pluginContext.irBuiltIns.intType, getDefaultsMethodLastArgType(f)))
             .map { erase(it) }
 
@@ -3345,7 +3345,7 @@ open class KotlinFileExtractor(
         val overriddenCallTarget =
             (callTarget as? IrSimpleFunction)?.allOverridden(includeSelf = true)?.firstOrNull {
                 it.overriddenSymbols.isEmpty() &&
-                    it.valueParameters.any { p -> p.defaultValue != null }
+                    it.codeQlValueParameters.any { p -> p.defaultValue != null }
             } ?: callTarget
         if (isExternalDeclaration(overriddenCallTarget)) {
             // Likewise, ensure the overridden target gets extracted.
@@ -3419,7 +3419,7 @@ open class KotlinFileExtractor(
         }
 
         val valueArgsWithDummies =
-            valueArguments.zip(callTarget.valueParameters).map { (expr, param) ->
+            valueArguments.zip(callTarget.codeQlValueParameters).map { (expr, param) ->
                 expr ?: IrConstImpl.defaultValueForType(0, 0, param.type)
             }
 
@@ -3529,7 +3529,7 @@ open class KotlinFileExtractor(
         callTarget: IrFunction,
         valueArguments: List<IrExpression?>
     ): Boolean {
-        val varargParam = callTarget.valueParameters.withIndex().find { it.value.isVararg }
+        val varargParam = callTarget.codeQlValueParameters.withIndex().find { it.value.isVararg }
         // If the vararg param is the only one not specified, and it has no default value, then we
         // don't need to call a $default method,
         // as omitting it already implies passing an empty vararg array.
@@ -3805,7 +3805,7 @@ open class KotlinFileExtractor(
     ) =
         extractCallValueArguments(
             callId,
-            (0 until call.valueArgumentsCount).map { call.getValueArgument(it) },
+            (0 until call.codeQlValueArgumentsCount).map { call.codeQlGetValueArgument(it) },
             enclosingStmt,
             enclosingCallable,
             idxOffset
@@ -3874,7 +3874,7 @@ open class KotlinFileExtractor(
                     (owner.parentClassOrNull?.fqNameWhenAvailable?.asString() == type ||
                         (owner.parent is IrExternalPackageFragment &&
                             getFileClassFqName(owner)?.asString() == type)) &&
-                        owner.valueParameters
+                        owner.codeQlValueParameters
                             .map { it.type.classFqName?.asString() }
                             .toTypedArray() contentEquals parameterTypes
                 }
@@ -3926,8 +3926,8 @@ open class KotlinFileExtractor(
         val result =
             javaLangString?.declarations?.findSubType<IrFunction> {
                 it.name.asString() == "valueOf" &&
-                    it.valueParameters.size == 1 &&
+                    it.codeQlValueParameters.size == 1 &&
-                    it.valueParameters[0].type == pluginContext.irBuiltIns.anyNType
+                    it.codeQlValueParameters[0].type == pluginContext.irBuiltIns.anyNType
             }
         if (result == null) {
             logger.error("Couldn't find declaration java.lang.String.valueOf(Object)")
@@ -3951,7 +3951,7 @@ open class KotlinFileExtractor(
     val kotlinNoWhenBranchMatchedConstructor by lazy {
         val result =
             kotlinNoWhenBranchMatchedExn?.declarations?.findSubType<IrConstructor> {
-                it.valueParameters.isEmpty()
+                it.codeQlValueParameters.isEmpty()
             }
         if (result == null) {
             logger.error("Couldn't find no-arg constructor for kotlin.NoWhenBranchMatchedException")
@@ -3990,7 +3990,7 @@ open class KotlinFileExtractor(
             verboseln("No match as function name is ${target.name.asString()} not $fName")
             return false
         }
-        val extensionReceiverParameter = target.extensionReceiverParameter
+        val extensionReceiverParameter = target.codeQlExtensionReceiverParameter
         val targetClass =
             if (extensionReceiverParameter == null) {
                 if (isNullable == true) {
@@ -4098,8 +4098,8 @@ open class KotlinFileExtractor(
             ) {
                 val typeArgs =
                     if (extractMethodTypeArguments)
-                        (0 until c.typeArgumentsCount)
+                        (0 until c.codeQlTypeArgumentsCount)
-                            .map { c.getTypeArgument(it) }
+                            .map { c.codeQlGetTypeArgument(it) }
                             .requireNoNullsOrNull()
                     else listOf()
 
@@ -4116,9 +4116,9 @@ open class KotlinFileExtractor(
                     parent,
                     idx,
                     enclosingStmt,
-                    (0 until c.valueArgumentsCount).map { c.getValueArgument(it) },
+                    (0 until c.codeQlValueArgumentsCount).map { c.codeQlGetValueArgument(it) },
                     c.dispatchReceiver,
-                    c.extensionReceiver,
+                    c.codeQlExtensionReceiver,
                     typeArgs,
                     extractClassTypeArguments,
                     c.superQualifierSymbol
@@ -4126,12 +4126,12 @@ open class KotlinFileExtractor(
             }
 
             fun extractSpecialEnumFunction(fnName: String) {
-                if (c.typeArgumentsCount != 1) {
+                if (c.codeQlTypeArgumentsCount != 1) {
                     logger.errorElement("Expected to find exactly one type argument", c)
                     return
                 }
 
-                val enumType = (c.getTypeArgument(0) as? IrSimpleType)?.classifier?.owner
+                val enumType = (c.codeQlGetTypeArgument(0) as? IrSimpleType)?.classifier?.owner
                 if (enumType == null) {
                     logger.errorElement("Couldn't find type of enum type", c)
                     return
@@ -4178,13 +4178,13 @@ open class KotlinFileExtractor(
                 } else {
                     extractExpressionExpr(receiver, callable, id, 0, enclosingStmt)
                 }
-                if (c.valueArgumentsCount < 1) {
+                if (c.codeQlValueArgumentsCount < 1) {
                     logger.errorElement("No RHS found", c)
                 } else {
-                    if (c.valueArgumentsCount > 1) {
+                    if (c.codeQlValueArgumentsCount > 1) {
                         logger.errorElement("Extra arguments found", c)
                     }
-                    val arg = c.getValueArgument(0)
+                    val arg = c.codeQlGetValueArgument(0)
                     if (arg == null) {
                         logger.errorElement("RHS null", c)
                     } else {
@@ -4205,7 +4205,7 @@ open class KotlinFileExtractor(
                 } else {
                     extractExpressionExpr(receiver, callable, id, 0, enclosingStmt)
                 }
-                if (c.valueArgumentsCount > 0) {
+                if (c.codeQlValueArgumentsCount > 0) {
                     logger.errorElement("Extra arguments found", c)
                 }
             }
@@ -4219,7 +4219,7 @@ open class KotlinFileExtractor(
             }
 
             fun binopExt(id: Label<out DbExpr>) {
-                binopReceiver(id, c.extensionReceiver, "Extension receiver")
+                binopReceiver(id, c.codeQlExtensionReceiver, "Extension receiver")
             }
 
             fun unaryopDisp(id: Label<out DbExpr>) {
@@ -4227,7 +4227,7 @@ open class KotlinFileExtractor(
             }
 
             fun unaryopExt(id: Label<out DbExpr>) {
-                unaryopReceiver(id, c.extensionReceiver, "Extension receiver")
+                unaryopReceiver(id, c.codeQlExtensionReceiver, "Extension receiver")
             }
 
             val dr = c.dispatchReceiver
@@ -4249,7 +4249,7 @@ open class KotlinFileExtractor(
                             parent,
                             idx,
                             enclosingStmt,
-                            listOf(c.extensionReceiver, c.getValueArgument(0)),
+                            listOf(c.codeQlExtensionReceiver, c.codeQlGetValueArgument(0)),
                             null,
                             null
                         )
@@ -4350,7 +4350,7 @@ open class KotlinFileExtractor(
                 // != gets desugared into not and ==. Here we resugar it.
                 c.origin == IrStatementOrigin.EXCLEQ &&
                     isFunction(target, "kotlin", "Boolean", "not") &&
-                    c.valueArgumentsCount == 0 &&
+                    c.codeQlValueArgumentsCount == 0 &&
                     dr != null &&
                     dr is IrCall &&
                     isBuiltinCallInternal(dr, "EQEQ") -> {
@@ -4362,7 +4362,7 @@ open class KotlinFileExtractor(
                 }
                 c.origin == IrStatementOrigin.EXCLEQEQ &&
                     isFunction(target, "kotlin", "Boolean", "not") &&
-                    c.valueArgumentsCount == 0 &&
+                    c.codeQlValueArgumentsCount == 0 &&
                     dr != null &&
                     dr is IrCall &&
                     isBuiltinCallInternal(dr, "EQEQEQ") -> {
@@ -4374,7 +4374,7 @@ open class KotlinFileExtractor(
                 }
                 c.origin == IrStatementOrigin.EXCLEQ &&
                     isFunction(target, "kotlin", "Boolean", "not") &&
-                    c.valueArgumentsCount == 0 &&
+                    c.codeQlValueArgumentsCount == 0 &&
                     dr != null &&
                     dr is IrCall &&
                     isBuiltinCallInternal(dr, "ieee754equals") -> {
@@ -4576,7 +4576,7 @@ open class KotlinFileExtractor(
                             parent,
                             idx,
                             enclosingStmt,
-                            listOf(c.extensionReceiver),
+                            listOf(c.codeQlExtensionReceiver),
                             null,
                             null
                         )
@@ -4596,8 +4596,8 @@ open class KotlinFileExtractor(
                     val locId = tw.getLocation(c)
                     extractExprContext(id, locId, callable, enclosingStmt)
 
-                    if (c.typeArgumentsCount == 1) {
+                    if (c.codeQlTypeArgumentsCount == 1) {
-                        val typeArgument = c.getTypeArgument(0)
+                        val typeArgument = c.codeQlGetTypeArgument(0)
                         if (typeArgument == null) {
                             logger.errorElement("Type argument missing in an arrayOfNulls call", c)
                         } else {
@@ -4618,8 +4618,8 @@ open class KotlinFileExtractor(
                         )
                     }
 
-                    if (c.valueArgumentsCount == 1) {
+                    if (c.codeQlValueArgumentsCount == 1) {
-                        val dim = c.getValueArgument(0)
+                        val dim = c.codeQlGetValueArgument(0)
                         if (dim != null) {
                             extractExpressionExpr(dim, callable, id, 0, enclosingStmt)
                         } else {
@@ -4651,8 +4651,8 @@ open class KotlinFileExtractor(
                             c.type.getArrayElementTypeCodeQL(pluginContext.irBuiltIns)
                         } else {
                             // TODO: is there any reason not to always use getArrayElementTypeCodeQL?
-                            if (c.typeArgumentsCount == 1) {
+                            if (c.codeQlTypeArgumentsCount == 1) {
-                                c.getTypeArgument(0).also {
+                                c.codeQlGetTypeArgument(0).also {
                                     if (it == null) {
                                         logger.errorElement(
                                             "Type argument missing in an arrayOf call",
@@ -4670,7 +4670,7 @@ open class KotlinFileExtractor(
                         }
 
                     val arg =
-                        if (c.valueArgumentsCount == 1) c.getValueArgument(0)
+                        if (c.codeQlValueArgumentsCount == 1) c.codeQlGetValueArgument(0)
                             else {
                                 logger.errorElement(
                                     "Expected to find only one (vararg) argument in ${c.symbol.owner.name.asString()} call",
@@ -4719,7 +4719,7 @@ open class KotlinFileExtractor(
                                 return
                             }
 
-                            val ext = c.extensionReceiver
+                            val ext = c.codeQlExtensionReceiver
                             if (ext == null) {
                                 logger.errorElement(
                                     "No extension receiver found for `KClass::java` call",
@@ -4826,8 +4826,8 @@ open class KotlinFileExtractor(
                     c.origin == IrStatementOrigin.EQ &&
                     c.dispatchReceiver != null -> {
                     val array = c.dispatchReceiver
-                    val arrayIdx = c.getValueArgument(0)
+                    val arrayIdx = c.codeQlGetValueArgument(0)
-                    val assignedValue = c.getValueArgument(1)
+                    val assignedValue = c.codeQlGetValueArgument(1)
 
                     if (array != null && arrayIdx != null && assignedValue != null) {
 
@@ -4882,22 +4882,22 @@ open class KotlinFileExtractor(
                 }
                 isBuiltinCall(c, "<unsafe-coerce>", "kotlin.jvm.internal") -> {
 
-                    if (c.valueArgumentsCount != 1) {
+                    if (c.codeQlValueArgumentsCount != 1) {
                         logger.errorElement(
-                            "Expected to find one argument for a kotlin.jvm.internal.<unsafe-coerce>() call, but found ${c.valueArgumentsCount}",
+                            "Expected to find one argument for a kotlin.jvm.internal.<unsafe-coerce>() call, but found ${c.codeQlValueArgumentsCount}",
                             c
                         )
                         return
                     }
 
-                    if (c.typeArgumentsCount != 2) {
+                    if (c.codeQlTypeArgumentsCount != 2) {
                         logger.errorElement(
-                            "Expected to find two type arguments for a kotlin.jvm.internal.<unsafe-coerce>() call, but found ${c.typeArgumentsCount}",
+                            "Expected to find two type arguments for a kotlin.jvm.internal.<unsafe-coerce>() call, but found ${c.codeQlTypeArgumentsCount}",
                             c
                         )
                         return
                     }
-                    val valueArg = c.getValueArgument(0)
+                    val valueArg = c.codeQlGetValueArgument(0)
                     if (valueArg == null) {
                         logger.errorElement(
                             "Cannot find value argument for a kotlin.jvm.internal.<unsafe-coerce>() call",
@@ -4905,7 +4905,7 @@ open class KotlinFileExtractor(
                         )
                         return
                     }
-                    val typeArg = c.getTypeArgument(1)
+                    val typeArg = c.codeQlGetTypeArgument(1)
                     if (typeArg == null) {
                         logger.errorElement(
                             "Cannot find type argument for a kotlin.jvm.internal.<unsafe-coerce>() call",
@@ -4924,7 +4924,7 @@ open class KotlinFileExtractor(
                     extractExpressionExpr(valueArg, callable, id, 1, enclosingStmt)
                 }
                 isBuiltinCallInternal(c, "dataClassArrayMemberToString") -> {
-                    val arrayArg = c.getValueArgument(0)
+                    val arrayArg = c.codeQlGetValueArgument(0)
                     val realArrayClass = arrayArg?.type?.classOrNull
                     if (realArrayClass == null) {
                         logger.errorElement(
@@ -4936,8 +4936,8 @@ open class KotlinFileExtractor(
                     val realCallee =
                         javaUtilArrays?.declarations?.findSubType<IrFunction> { decl ->
                             decl.name.asString() == "toString" &&
-                                decl.valueParameters.size == 1 &&
+                                decl.codeQlValueParameters.size == 1 &&
-                                decl.valueParameters[0].type.classOrNull?.let {
+                                decl.codeQlValueParameters[0].type.classOrNull?.let {
                                     it == realArrayClass
                                 } == true
                         }
@@ -4962,7 +4962,7 @@ open class KotlinFileExtractor(
                     }
                 }
                 isBuiltinCallInternal(c, "dataClassArrayMemberHashCode") -> {
-                    val arrayArg = c.getValueArgument(0)
+                    val arrayArg = c.codeQlGetValueArgument(0)
                     val realArrayClass = arrayArg?.type?.classOrNull
                     if (realArrayClass == null) {
                         logger.errorElement(
@@ -4974,8 +4974,8 @@ open class KotlinFileExtractor(
                     val realCallee =
                         javaUtilArrays?.declarations?.findSubType<IrFunction> { decl ->
                             decl.name.asString() == "hashCode" &&
-                                decl.valueParameters.size == 1 &&
+                                decl.codeQlValueParameters.size == 1 &&
-                                decl.valueParameters[0].type.classOrNull?.let {
+                                decl.codeQlValueParameters[0].type.classOrNull?.let {
                                     it == realArrayClass
                                 } == true
                         }
@@ -5155,7 +5155,7 @@ open class KotlinFileExtractor(
         val type = useType(eType)
         val isAnonymous = eType.isAnonymous
         val locId = tw.getLocation(e)
-        val valueArgs = (0 until e.valueArgumentsCount).map { e.getValueArgument(it) }
+        val valueArgs = (0 until e.codeQlValueArgumentsCount).map { e.codeQlGetValueArgument(it) }
 
         val id =
             if (
@@ -5211,10 +5211,10 @@ open class KotlinFileExtractor(
                         realCallTarget is IrConstructor &&
                         realCallTarget.parentClassOrNull?.fqNameWhenAvailable?.asString() ==
                             "kotlin.Enum" &&
-                        realCallTarget.valueParameters.size == 2 &&
+                        realCallTarget.codeQlValueParameters.size == 2 &&
-                        realCallTarget.valueParameters[0].type ==
+                        realCallTarget.codeQlValueParameters[0].type ==
                             pluginContext.irBuiltIns.stringType &&
-                        realCallTarget.valueParameters[1].type == pluginContext.irBuiltIns.intType
+                        realCallTarget.codeQlValueParameters[1].type == pluginContext.irBuiltIns.intType
                 ) {
 
                     val id0 =
@@ -5287,7 +5287,7 @@ open class KotlinFileExtractor(
             }
 
             val args =
-                (0 until e.typeArgumentsCount).map { e.getTypeArgument(it) }.requireNoNullsOrNull()
+                (0 until e.codeQlTypeArgumentsCount).map { e.codeQlGetTypeArgument(it) }.requireNoNullsOrNull()
             if (args == null) {
                 logger.warnElement("Found null type argument in enum constructor call", e)
                 return
@@ -5365,7 +5365,7 @@ open class KotlinFileExtractor(
                 // Check for an expression like x = get(x).op(e):
                 val opReceiver = updateRhs.dispatchReceiver
                 if (isExpectedLhs(opReceiver)) {
-                    updateRhs.getValueArgument(0)
+                    updateRhs.codeQlGetValueArgument(0)
                 } else null
             } else null
         }
@@ -5560,7 +5560,7 @@ open class KotlinFileExtractor(
                                     "set"
                                 )
                             ) {
-                                val updateRhs0 = arraySetCall.getValueArgument(1)
+                                val updateRhs0 = arraySetCall.codeQlGetValueArgument(1)
                                 if (updateRhs0 == null) {
                                     logger.errorElement("Update RHS not found", e)
                                     return false
@@ -6403,12 +6403,12 @@ open class KotlinFileExtractor(
                     val ids = getLocallyVisibleFunctionLabels(e.function)
                     val locId = tw.getLocation(e)
 
-                    val ext = e.function.extensionReceiverParameter
+                    val ext = e.function.codeQlExtensionReceiverParameter
                     val parameters =
                         if (ext != null) {
-                            listOf(ext) + e.function.valueParameters
+                            listOf(ext) + e.function.codeQlValueParameters
                         } else {
-                            e.function.valueParameters
+                            e.function.codeQlValueParameters
                         }
 
                     var types = parameters.map { it.type }
@@ -6670,7 +6670,7 @@ open class KotlinFileExtractor(
                 is IrFunction -> {
                     if (
                         ownerParent.dispatchReceiverParameter == owner &&
-                            ownerParent.extensionReceiverParameter != null
+                            ownerParent.codeQlExtensionReceiverParameter != null
                     ) {
 
                         val ownerParent2 = ownerParent.parent
@@ -7089,7 +7089,7 @@ open class KotlinFileExtractor(
             makeReceiverInfo(callableReferenceExpr.dispatchReceiver, 0)
         private val extensionReceiverInfo =
             makeReceiverInfo(
-                callableReferenceExpr.extensionReceiver,
+                callableReferenceExpr.codeQlExtensionReceiver,
                 if (dispatchReceiverInfo == null) 0 else 1
             )
 
@@ -7627,8 +7627,8 @@ open class KotlinFileExtractor(
                     }
 
             val expressionTypeArguments =
-                (0 until propertyReferenceExpr.typeArgumentsCount).mapNotNull {
+                (0 until propertyReferenceExpr.codeQlTypeArgumentsCount).mapNotNull {
-                    propertyReferenceExpr.getTypeArgument(it)
+                    propertyReferenceExpr.codeQlGetTypeArgument(it)
                 }
 
             val idPropertyRef = tw.getFreshIdLabel<DbPropertyref>()
@@ -7829,7 +7829,7 @@ open class KotlinFileExtractor(
 
             if (
                 functionReferenceExpr.dispatchReceiver != null &&
-                    functionReferenceExpr.extensionReceiver != null
+                    functionReferenceExpr.codeQlExtensionReceiver != null
             ) {
                 logger.errorElement(
                     "Unexpected: dispatchReceiver and extensionReceiver are both non-null",
@@ -7840,7 +7840,7 @@ open class KotlinFileExtractor(
 
             if (
                 target.owner.dispatchReceiverParameter != null &&
-                    target.owner.extensionReceiverParameter != null
+                    target.owner.codeQlExtensionReceiverParameter != null
             ) {
                 logger.errorElement(
                     "Unexpected: dispatch and extension parameters are both non-null",
@@ -7899,8 +7899,8 @@ open class KotlinFileExtractor(
                             null
                         }
                 expressionTypeArguments =
-                    (0 until functionReferenceExpr.typeArgumentsCount).mapNotNull {
+                    (0 until functionReferenceExpr.codeQlTypeArgumentsCount).mapNotNull {
-                        functionReferenceExpr.getTypeArgument(it)
+                        functionReferenceExpr.codeQlGetTypeArgument(it)
                     }
                 dispatchReceiverIdx = -1
             }
@@ -7965,7 +7965,7 @@ open class KotlinFileExtractor(
                         functionReferenceExpr,
                         declarationParent,
                         null,
-                        { it.valueParameters.size == 1 }
+                        { it.codeQlValueParameters.size == 1 }
                     ) {
                         // The argument to FunctionReference's constructor is the function arity.
                         extractConstantInteger(
@@ -8572,7 +8572,7 @@ open class KotlinFileExtractor(
         reverse: Boolean = false
     ) {
         val typeArguments =
-            (0 until c.typeArgumentsCount).map { c.getTypeArgument(it) }.requireNoNullsOrNull()
+            (0 until c.codeQlTypeArgumentsCount).map { c.codeQlGetTypeArgument(it) }.requireNoNullsOrNull()
         if (typeArguments == null) {
             logger.errorElement("Found a null type argument for a member access expression", c)
         } else {
@@ -8923,11 +8923,11 @@ open class KotlinFileExtractor(
                     tw.writeVariableBinding(lhsId, fieldId)
 
                     val parameters = mutableListOf<IrValueParameter>()
-                    val extParam = samMember.extensionReceiverParameter
+                    val extParam = samMember.codeQlExtensionReceiverParameter
                     if (extParam != null) {
                         parameters.add(extParam)
                     }
-                    parameters.addAll(samMember.valueParameters)
+                    parameters.addAll(samMember.codeQlValueParameters)
 
                     fun extractArgument(
                         p: IrValueParameter,
@@ -9032,7 +9032,7 @@ open class KotlinFileExtractor(
         elementToReportOn: IrElement,
         declarationParent: IrDeclarationParent,
         compilerGeneratedKindOverride: CompilerGeneratedKinds? = null,
-        superConstructorSelector: (IrFunction) -> Boolean = { it.valueParameters.isEmpty() },
+        superConstructorSelector: (IrFunction) -> Boolean = { it.codeQlValueParameters.isEmpty() },
         extractSuperconstructorArgs: (Label<DbSuperconstructorinvocationstmt>) -> Unit = {},
     ): Label<out DbClassorinterface> {
         // Write class

java/kotlin-extractor/src/main/kotlin/KotlinUsesExtractor.kt

@@ -12,7 +12,7 @@ import org.jetbrains.kotlin.ir.ObsoleteDescriptorBasedAPI
 import org.jetbrains.kotlin.ir.declarations.*
 import org.jetbrains.kotlin.ir.expressions.*
 import org.jetbrains.kotlin.ir.symbols.*
-import org.jetbrains.kotlin.ir.types.addAnnotations
+import com.github.codeql.utils.versions.codeQlAddAnnotations
 import org.jetbrains.kotlin.ir.types.classFqName
 import org.jetbrains.kotlin.ir.types.classifierOrNull
 import org.jetbrains.kotlin.ir.types.classOrNull
@@ -355,7 +355,7 @@ open class KotlinUsesExtractor(
     }
 
     private fun propertySignature(p: IrProperty) =
-        ((p.getter ?: p.setter)?.extensionReceiverParameter?.let {
+        ((p.getter ?: p.setter)?.codeQlExtensionReceiverParameter?.let {
             useType(erase(it.type)).javaResult.signature
         } ?: "")
 
@@ -368,7 +368,7 @@ open class KotlinUsesExtractor(
                 // useDeclarationParent -> useFunction
                 // -> extractFunctionLaterIfExternalFileMember, which would result for `fun <T> f(t:
                 // T) { ... }` for example.
-                (listOfNotNull(d.extensionReceiverParameter) + d.valueParameters)
+                (listOfNotNull(d.codeQlExtensionReceiverParameter) + d.codeQlValueParameters)
                     .map { useType(erase(it.type)).javaResult.signature }
                     .joinToString(separator = ",", prefix = "(", postfix = ")")
             is IrProperty -> propertySignature(d) + externalClassExtractor.propertySignature
@@ -488,8 +488,8 @@ open class KotlinUsesExtractor(
             val result =
                 replacementClass.declarations.findSubType<IrSimpleFunction> { replacementDecl ->
                     replacementDecl.name == f.name &&
-                        replacementDecl.valueParameters.size == f.valueParameters.size &&
+                        replacementDecl.codeQlValueParameters.size == f.codeQlValueParameters.size &&
-                        replacementDecl.valueParameters.zip(f.valueParameters).all {
+                        replacementDecl.codeQlValueParameters.zip(f.codeQlValueParameters).all {
                             erase(it.first.type) == erase(it.second.type)
                         }
                 }
@@ -1265,7 +1265,7 @@ open class KotlinUsesExtractor(
     private fun getWildcardSuppressionDirective(t: IrAnnotationContainer): Boolean? =
         t.getAnnotation(jvmWildcardSuppressionAnnotation)?.let {
             @Suppress("USELESS_CAST") // `as? Boolean` is not needed for Kotlin < 2.1
-            (it.getValueArgument(0) as? CodeQLIrConst<Boolean>)?.value as? Boolean ?: true
+            (it.codeQlGetValueArgument(0) as? CodeQLIrConst<Boolean>)?.value as? Boolean ?: true
         }
 
     private fun addJavaLoweringArgumentWildcards(
@@ -1376,9 +1376,9 @@ open class KotlinUsesExtractor(
             f.parent,
             parentId,
             getFunctionShortName(f).nameInDB,
-            (maybeParameterList ?: f.valueParameters).map { it.type },
+            (maybeParameterList ?: f.codeQlValueParameters).map { it.type },
             getAdjustedReturnType(f),
-            f.extensionReceiverParameter?.type,
+            f.codeQlExtensionReceiverParameter?.type,
             getFunctionTypeParameters(f),
             classTypeArgsIncludingOuterClasses,
             overridesCollectionsMethodWithAlteredParameterTypes(f),
@@ -1401,12 +1401,12 @@ open class KotlinUsesExtractor(
         // The name of the function; normally f.name.asString().
         name: String,
         // The types of the value parameters that the functions takes; normally
-        // f.valueParameters.map { it.type }.
+        // f.codeQlValueParameters.map { it.type }.
         parameterTypes: List<IrType>,
         // The return type of the function; normally f.returnType.
         returnType: IrType,
         // The extension receiver of the function, if any; normally
-        // f.extensionReceiverParameter?.type.
+        // f.codeQlExtensionReceiverParameter?.type.
         extensionParamType: IrType?,
         // The type parameters of the function. This does not include type parameters of enclosing
         // classes.
@@ -1579,7 +1579,7 @@ open class KotlinUsesExtractor(
                 parentClass.fqNameWhenAvailable?.asString() !=
                     "java.util.concurrent.ConcurrentHashMap" ||
                 getFunctionShortName(f).nameInDB != "keySet" ||
-                f.valueParameters.isNotEmpty() ||
+                f.codeQlValueParameters.isNotEmpty() ||
                 f.returnType.classFqName?.asString() != "kotlin.collections.MutableSet"
         ) {
             return f.returnType
@@ -1587,7 +1587,7 @@ open class KotlinUsesExtractor(
 
         val otherKeySet =
             parentClass.declarations.findSubType<IrFunction> {
-                it.name.asString() == "keySet" && it.valueParameters.size == 1
+                it.name.asString() == "keySet" && it.codeQlValueParameters.size == 1
             } ?: return f.returnType
 
         return otherKeySet.returnType.codeQlWithHasQuestionMark(false)
@@ -1695,8 +1695,8 @@ open class KotlinUsesExtractor(
                         javaClass.declarations.findSubType<IrFunction> { decl ->
                             !decl.isFakeOverride &&
                                 decl.name.asString() == jvmName &&
-                                decl.valueParameters.size == f.valueParameters.size &&
+                                decl.codeQlValueParameters.size == f.codeQlValueParameters.size &&
-                                decl.valueParameters.zip(f.valueParameters).all { p ->
+                                decl.codeQlValueParameters.zip(f.codeQlValueParameters).all { p ->
                                     erase(p.first.type).classifierOrNull ==
                                         erase(p.second.type).classifierOrNull
                                 }
@@ -2125,7 +2125,7 @@ open class KotlinUsesExtractor(
                 }
 
                 return if (t.arguments.isNotEmpty())
-                    t.addAnnotations(listOf(RawTypeAnnotation.annotationConstructor))
+                    t.codeQlAddAnnotations(listOf(RawTypeAnnotation.annotationConstructor))
                 else t
             }
         }
@@ -2153,7 +2153,7 @@ open class KotlinUsesExtractor(
         val idxOffset =
             if (
                 declarationParent is IrFunction &&
-                    declarationParent.extensionReceiverParameter != null
+                    declarationParent.codeQlExtensionReceiverParameter != null
             )
             // For extension functions increase the index to match what the java extractor sees:
             1
@@ -2187,7 +2187,7 @@ open class KotlinUsesExtractor(
     // Gets a field's corresponding property's extension receiver type, if any
     fun getExtensionReceiverType(f: IrField) =
         f.correspondingPropertySymbol?.owner?.let {
-            (it.getter ?: it.setter)?.extensionReceiverParameter?.type
+            (it.getter ?: it.setter)?.codeQlExtensionReceiverParameter?.type
         }
 
     fun getFieldLabel(f: IrField): String {
@@ -2222,14 +2222,14 @@ open class KotlinUsesExtractor(
         val setter = p.setter
 
         val func = getter ?: setter
-        val ext = func?.extensionReceiverParameter
+        val ext = func?.codeQlExtensionReceiverParameter
 
         return if (ext == null) {
             "@\"property;{$parentId};${p.name.asString()}\""
         } else {
             val returnType =
                 getter?.returnType
-                    ?: setter?.valueParameters?.singleOrNull()?.type
+                    ?: setter?.codeQlValueParameters?.singleOrNull()?.type
                     ?: pluginContext.irBuiltIns.unitType
             val typeParams = getFunctionTypeParameters(func)
 

java/kotlin-extractor/src/main/kotlin/MetaAnnotationSupport.kt

@@ -1,5 +1,10 @@
 package com.github.codeql
 
+import com.github.codeql.utils.versions.codeQlAnnotationFromSymbolOwner
+import com.github.codeql.utils.versions.codeQlGetValueArgument
+import com.github.codeql.utils.versions.codeQlPutValueArgument
+import com.github.codeql.utils.versions.codeQlSetAnnotations
+import com.github.codeql.utils.versions.codeQlSetDispatchReceiverParameter
 import com.github.codeql.utils.versions.createImplicitParameterDeclarationWithWrappedDescriptor
 import java.lang.annotation.ElementType
 import java.util.HashSet
@@ -95,7 +100,7 @@ class MetaAnnotationSupport(
                     JvmAnnotationNames.REPEATABLE_ANNOTATION
             }
         return if (jvmRepeatable != null) {
-            ((jvmRepeatable.getValueArgument(0) as? IrClassReference)?.symbol as? IrClassSymbol)
+            ((jvmRepeatable.codeQlGetValueArgument(0) as? IrClassReference)?.symbol as? IrClassSymbol)
                 ?.owner
         } else {
             getOrCreateSyntheticRepeatableAnnotationContainer(annotationClass)
@@ -117,12 +122,12 @@ class MetaAnnotationSupport(
             )
             return null
         } else {
-            return IrConstructorCallImpl.fromSymbolOwner(
+            return codeQlAnnotationFromSymbolOwner(
                     containerClass.defaultType,
                     containerConstructor.symbol
                 )
                 .apply {
-                    putValueArgument(
+                    codeQlPutValueArgument(
                         0,
                         IrVarargImpl(
                             UNDEFINED_OFFSET,
@@ -144,7 +149,7 @@ class MetaAnnotationSupport(
 
     // Taken from AdditionalClassAnnotationLowering.kt
     private fun loadAnnotationTargets(targetEntry: IrConstructorCall): Set<KotlinTarget>? {
-        val valueArgument = targetEntry.getValueArgument(0) as? IrVararg ?: return null
+        val valueArgument = targetEntry.codeQlGetValueArgument(0) as? IrVararg ?: return null
         return valueArgument.elements
             .filterIsInstance<IrGetEnumValue>()
             .mapNotNull { KotlinTarget.valueOrNull(it.symbol.owner.name.asString()) }
@@ -230,14 +235,14 @@ class MetaAnnotationSupport(
             )
         }
 
-        return IrConstructorCallImpl.fromSymbolOwner(
+        return codeQlAnnotationFromSymbolOwner(
                 UNDEFINED_OFFSET,
                 UNDEFINED_OFFSET,
                 targetConstructor.returnType,
                 targetConstructor.symbol,
                 0
             )
-            .apply { putValueArgument(0, vararg) }
+            .apply { codeQlPutValueArgument(0, vararg) }
     }
 
     private val javaAnnotationRetention by lazy {
@@ -263,7 +268,7 @@ class MetaAnnotationSupport(
     // Taken from AnnotationCodegen.kt (not available in Kotlin < 1.6.20)
     private fun IrClass.getAnnotationRetention(): KotlinRetention? {
         val retentionArgument =
-            getAnnotation(StandardNames.FqNames.retention)?.getValueArgument(0) as? IrGetEnumValue
+            getAnnotation(StandardNames.FqNames.retention)?.codeQlGetValueArgument(0) as? IrGetEnumValue
                 ?: return null
         val retentionArgumentValue = retentionArgument.symbol.owner
         return KotlinRetention.valueOf(retentionArgumentValue.name.asString())
@@ -283,7 +288,7 @@ class MetaAnnotationSupport(
         val targetConstructor =
             retentionType.declarations.firstIsInstanceOrNull<IrConstructor>() ?: return null
 
-        return IrConstructorCallImpl.fromSymbolOwner(
+        return codeQlAnnotationFromSymbolOwner(
                 UNDEFINED_OFFSET,
                 UNDEFINED_OFFSET,
                 targetConstructor.returnType,
@@ -291,7 +296,7 @@ class MetaAnnotationSupport(
                 0
             )
             .apply {
-                putValueArgument(
+                codeQlPutValueArgument(
                     0,
                     IrGetEnumValueImpl(
                         UNDEFINED_OFFSET,
@@ -333,7 +338,7 @@ class MetaAnnotationSupport(
                             return
                         }
                 val newParam = thisReceiever.copyTo(this)
-                dispatchReceiverParameter = newParam
+                codeQlSetDispatchReceiverParameter(newParam)
                 body =
                     factory
                         .createBlockBody(UNDEFINED_OFFSET, UNDEFINED_OFFSET)
@@ -406,7 +411,7 @@ class MetaAnnotationSupport(
             val repeatableContainerAnnotation =
                 kotlinAnnotationRepeatableContainer?.constructors?.single()
 
-            containerClass.annotations =
+            codeQlSetAnnotations(containerClass,
                 annotationClass.annotations
                     .filter {
                         it.isAnnotationWithEqualFqName(StandardNames.FqNames.retention) ||
@@ -415,7 +420,7 @@ class MetaAnnotationSupport(
                     .map { it.deepCopyWithSymbols(containerClass) } +
                     listOfNotNull(
                         repeatableContainerAnnotation?.let {
-                            IrConstructorCallImpl.fromSymbolOwner(
+                            codeQlAnnotationFromSymbolOwner(
                                 UNDEFINED_OFFSET,
                                 UNDEFINED_OFFSET,
                                 it.returnType,
@@ -424,6 +429,7 @@ class MetaAnnotationSupport(
                             )
                         }
                     )
+            )
 
             containerClass
         }
@@ -462,14 +468,14 @@ class MetaAnnotationSupport(
                 containerClass.symbol,
                 containerClass.defaultType
             )
-        return IrConstructorCallImpl.fromSymbolOwner(
+        return codeQlAnnotationFromSymbolOwner(
                 UNDEFINED_OFFSET,
                 UNDEFINED_OFFSET,
                 repeatableConstructor.returnType,
                 repeatableConstructor.symbol,
                 0
             )
-            .apply { putValueArgument(0, containerReference) }
+            .apply { codeQlPutValueArgument(0, containerReference) }
     }
 
     private val javaAnnotationDocumented by lazy {
@@ -488,7 +494,7 @@ class MetaAnnotationSupport(
             javaAnnotationDocumented?.declarations?.firstIsInstanceOrNull<IrConstructor>()
                 ?: return null
 
-        return IrConstructorCallImpl.fromSymbolOwner(
+        return codeQlAnnotationFromSymbolOwner(
             UNDEFINED_OFFSET,
             UNDEFINED_OFFSET,
             documentedConstructor.returnType,

java/kotlin-extractor/src/main/kotlin/TrapWriter.kt

@@ -1,6 +1,7 @@
 package com.github.codeql
 
 import com.github.codeql.KotlinUsesExtractor.LocallyVisibleFunctionLabels
+import com.github.codeql.utils.versions.codeQlExtensionReceiver
 import com.semmle.extractor.java.PopulateFile
 import com.semmle.util.unicode.UTF8Util
 import java.io.BufferedWriter
@@ -331,7 +332,7 @@ open class FileTrapWriter(
             is IrCall -> {
                 // Calls have incorrect startOffset, so we adjust them:
                 val dr = e.dispatchReceiver?.let { getStartOffset(it) }
-                val er = e.extensionReceiver?.let { getStartOffset(it) }
+                val er = e.codeQlExtensionReceiver?.let { getStartOffset(it) }
                 offsetMinOf(e.startOffset, dr, er)
             }
             else -> e.startOffset

java/kotlin-extractor/src/main/kotlin/comments/CommentExtractor.kt

@@ -2,6 +2,7 @@ package com.github.codeql.comments
 
 import com.github.codeql.*
 import com.github.codeql.utils.isLocalFunction
+import com.github.codeql.utils.versions.codeQlExtensionReceiverParameter
 import com.github.codeql.utils.versions.isDispatchReceiver
 import org.jetbrains.kotlin.ir.IrElement
 import org.jetbrains.kotlin.ir.declarations.*
@@ -11,7 +12,7 @@ import org.jetbrains.kotlin.ir.util.parentClassOrNull
 
 private fun IrValueParameter.isExtensionReceiver(): Boolean {
     val parentFun = parent as? IrFunction ?: return false
-    return parentFun.extensionReceiverParameter == this
+    return parentFun.codeQlExtensionReceiverParameter == this
 }
 
 open class CommentExtractor(

java/kotlin-extractor/src/main/kotlin/utils/JvmNames.kt

@@ -1,6 +1,8 @@
 package com.github.codeql.utils
 
 import com.github.codeql.utils.versions.CodeQLIrConst
+import com.github.codeql.utils.versions.codeQlGetValueArgument
+import com.github.codeql.utils.versions.codeQlValueArgumentsCount
 import org.jetbrains.kotlin.builtins.StandardNames
 import org.jetbrains.kotlin.ir.declarations.IrAnnotationContainer
 import org.jetbrains.kotlin.ir.declarations.IrClass
@@ -76,9 +78,9 @@ private fun getSpecialJvmName(f: IrFunction): String? {
 fun getJvmName(container: IrAnnotationContainer): String? {
     for (a: IrConstructorCall in container.annotations) {
         val t = a.type
-        if (t is IrSimpleType && a.valueArgumentsCount == 1) {
+        if (t is IrSimpleType && a.codeQlValueArgumentsCount == 1) {
             val owner = t.classifier.owner
-            val v = a.getValueArgument(0)
+            val v = a.codeQlGetValueArgument(0)
             if (owner is IrClass) {
                 val aPkg = owner.packageFqName?.asString()
                 val name = owner.name.asString()

java/kotlin-extractor/src/main/kotlin/utils/TypeSubstitution.kt

@@ -18,7 +18,7 @@ import org.jetbrains.kotlin.ir.expressions.IrConstructorCall
 import org.jetbrains.kotlin.ir.expressions.impl.*
 import org.jetbrains.kotlin.ir.symbols.IrTypeParameterSymbol
 import org.jetbrains.kotlin.ir.symbols.impl.DescriptorlessExternalPackageFragmentSymbol
-import org.jetbrains.kotlin.ir.types.addAnnotations
+import com.github.codeql.utils.versions.codeQlAddAnnotations
 import org.jetbrains.kotlin.ir.types.classifierOrNull
 import org.jetbrains.kotlin.ir.types.makeNotNull
 import org.jetbrains.kotlin.ir.types.makeNullable
@@ -192,7 +192,7 @@ object RawTypeAnnotation {
                     addConstructor { isPrimary = true }
                 }
         val constructor = annoClass.constructors.single()
-        IrConstructorCallImpl.fromSymbolOwner(constructor.constructedClassType, constructor.symbol)
+        codeQlAnnotationFromSymbolOwner(constructor.constructedClassType, constructor.symbol)
     }
 }
 
@@ -202,7 +202,7 @@ fun IrType.toRawType(): IrType =
             when (val owner = this.classifier.owner) {
                 is IrClass -> {
                     if (this.arguments.isNotEmpty())
-                        this.addAnnotations(listOf(RawTypeAnnotation.annotationConstructor))
+                        this.codeQlAddAnnotations(listOf(RawTypeAnnotation.annotationConstructor))
                     else this
                 }
                 is IrTypeParameter -> owner.superTypes[0].toRawType()
@@ -215,7 +215,7 @@ fun IrType.toRawType(): IrType =
 fun IrClass.toRawType(): IrType {
     val result = this.typeWith(listOf())
     return if (this.typeParameters.isNotEmpty())
-        result.addAnnotations(listOf(RawTypeAnnotation.annotationConstructor))
+        result.codeQlAddAnnotations(listOf(RawTypeAnnotation.annotationConstructor))
     else result
 }
 

java/kotlin-extractor/src/main/kotlin/utils/versions/v_1_8_0/IrCompat.kt

@@ -0,0 +1,70 @@
+package com.github.codeql.utils.versions
+
+import org.jetbrains.kotlin.ir.declarations.IrFunction
+import org.jetbrains.kotlin.ir.declarations.IrValueParameter
+import org.jetbrains.kotlin.ir.expressions.IrConstructorCall
+import org.jetbrains.kotlin.ir.expressions.IrExpression
+import org.jetbrains.kotlin.ir.expressions.IrMemberAccessExpression
+import org.jetbrains.kotlin.ir.expressions.impl.*
+import org.jetbrains.kotlin.ir.symbols.IrConstructorSymbol
+import org.jetbrains.kotlin.ir.types.IrType
+import org.jetbrains.kotlin.ir.types.addAnnotations
+
+/**
+ * Compatibility accessors for pre-2.4.0 API patterns.
+ * In pre-2.4.0 versions, these delegate directly to the existing APIs.
+ */
+
+// IrFunction: valueParameters
+val IrFunction.codeQlValueParameters: List<IrValueParameter>
+    get() = valueParameters
+
+// IrFunction: extensionReceiverParameter
+val IrFunction.codeQlExtensionReceiverParameter: IrValueParameter?
+    get() = extensionReceiverParameter
+
+// IrMemberAccessExpression: valueArgumentsCount
+val IrMemberAccessExpression<*>.codeQlValueArgumentsCount: Int
+    get() = valueArgumentsCount
+
+// IrMemberAccessExpression: getValueArgument
+fun IrMemberAccessExpression<*>.codeQlGetValueArgument(index: Int): IrExpression? = getValueArgument(index)
+
+// IrMemberAccessExpression: putValueArgument
+fun IrMemberAccessExpression<*>.codeQlPutValueArgument(index: Int, value: IrExpression?) {
+    putValueArgument(index, value)
+}
+
+// IrMemberAccessExpression: extensionReceiver
+val IrMemberAccessExpression<*>.codeQlExtensionReceiver: IrExpression?
+    get() = extensionReceiver
+
+// IrMemberAccessExpression: typeArgumentsCount
+val IrMemberAccessExpression<*>.codeQlTypeArgumentsCount: Int
+    get() = typeArgumentsCount
+
+// IrMemberAccessExpression: getTypeArgument
+fun IrMemberAccessExpression<*>.codeQlGetTypeArgument(index: Int): IrType? = getTypeArgument(index)
+
+// addAnnotations compat: in pre-2.4.0, addAnnotations expects List<IrConstructorCall>
+fun IrType.codeQlAddAnnotations(annotations: List<IrConstructorCall>): IrType =
+    addAnnotations(annotations)
+
+// IrMutableAnnotationContainer.annotations setter: in pre-2.4.0, annotations is var with List<IrConstructorCall>
+fun codeQlSetAnnotations(container: org.jetbrains.kotlin.ir.declarations.IrMutableAnnotationContainer, annotations: List<IrConstructorCall>) {
+    container.annotations = annotations
+}
+
+// IrFunction: set dispatch receiver parameter (pre-2.4.0 it's a var)
+fun IrFunction.codeQlSetDispatchReceiverParameter(param: IrValueParameter?) {
+    dispatchReceiverParameter = param
+}
+
+// In pre-2.4.0, annotations are List<IrConstructorCall> so IrConstructorCallImpl works directly.
+fun codeQlAnnotationFromSymbolOwner(
+    startOffset: Int, endOffset: Int, type: IrType, symbol: IrConstructorSymbol, typeArgumentsCount: Int
+): IrConstructorCall =
+    IrConstructorCallImpl.fromSymbolOwner(startOffset, endOffset, type, symbol, typeArgumentsCount)
+
+fun codeQlAnnotationFromSymbolOwner(type: IrType, symbol: IrConstructorSymbol): IrConstructorCall =
+    IrConstructorCallImpl.fromSymbolOwner(type, symbol)

java/kotlin-extractor/src/main/kotlin/utils/versions/v_1_8_0/Kotlin2ComponentRegistrar.kt

@@ -3,10 +3,34 @@
 
 package com.github.codeql
 
+import com.intellij.mock.MockProject
+import com.intellij.openapi.extensions.LoadingOrder
+import org.jetbrains.kotlin.backend.common.extensions.IrGenerationExtension
 import org.jetbrains.kotlin.compiler.plugin.ComponentRegistrar
 import org.jetbrains.kotlin.compiler.plugin.ExperimentalCompilerApi
+import org.jetbrains.kotlin.config.CompilerConfiguration
 
 @OptIn(ExperimentalCompilerApi::class)
 abstract class Kotlin2ComponentRegistrar : ComponentRegistrar {
     /* Nothing to do; supportsK2 doesn't exist yet. */
+
+    private var project: MockProject? = null
+
+    override fun registerProjectComponents(
+        project: MockProject,
+        configuration: CompilerConfiguration
+    ) {
+        this.project = project
+        doRegisterExtensions(configuration)
+    }
+
+    abstract fun doRegisterExtensions(configuration: CompilerConfiguration)
+
+    fun registerExtractorExtension(extension: IrGenerationExtension) {
+        val p = project ?: throw IllegalStateException("registerExtractorExtension called before registerProjectComponents")
+        // Register with LoadingOrder.LAST to ensure the extractor runs after other
+        // IR generation plugins (like kotlinx.serialization) have generated their code.
+        val extensionPoint = p.extensionArea.getExtensionPoint(IrGenerationExtension.extensionPointName)
+        extensionPoint.registerExtension(extension, LoadingOrder.LAST, p)
+    }
 }

java/kotlin-extractor/src/main/kotlin/utils/versions/v_1_9_0-Beta/Kotlin2ComponentRegistrar.kt

@@ -3,11 +3,35 @@
 
 package com.github.codeql
 
+import com.intellij.mock.MockProject
+import com.intellij.openapi.extensions.LoadingOrder
+import org.jetbrains.kotlin.backend.common.extensions.IrGenerationExtension
 import org.jetbrains.kotlin.compiler.plugin.ComponentRegistrar
 import org.jetbrains.kotlin.compiler.plugin.ExperimentalCompilerApi
+import org.jetbrains.kotlin.config.CompilerConfiguration
 
 @OptIn(ExperimentalCompilerApi::class)
 abstract class Kotlin2ComponentRegistrar : ComponentRegistrar {
     override val supportsK2: Boolean
         get() = true
+
+    private var project: MockProject? = null
+
+    override fun registerProjectComponents(
+        project: MockProject,
+        configuration: CompilerConfiguration
+    ) {
+        this.project = project
+        doRegisterExtensions(configuration)
+    }
+
+    abstract fun doRegisterExtensions(configuration: CompilerConfiguration)
+
+    fun registerExtractorExtension(extension: IrGenerationExtension) {
+        val p = project ?: throw IllegalStateException("registerExtractorExtension called before registerProjectComponents")
+        // Register with LoadingOrder.LAST to ensure the extractor runs after other
+        // IR generation plugins (like kotlinx.serialization) have generated their code.
+        val extensionPoint = p.extensionArea.getExtensionPoint(IrGenerationExtension.extensionPointName)
+        extensionPoint.registerExtension(extension, LoadingOrder.LAST, p)
+    }
 }

java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_4_0/IrCompat.kt

@@ -0,0 +1,123 @@
+@file:Suppress("DEPRECATION")
+
+package com.github.codeql.utils.versions
+
+import org.jetbrains.kotlin.ir.declarations.IrFunction
+import org.jetbrains.kotlin.ir.declarations.IrValueParameter
+import org.jetbrains.kotlin.ir.expressions.IrAnnotation
+import org.jetbrains.kotlin.ir.expressions.IrConstructorCall
+import org.jetbrains.kotlin.ir.expressions.IrExpression
+import org.jetbrains.kotlin.ir.expressions.IrMemberAccessExpression
+import org.jetbrains.kotlin.ir.expressions.impl.IrAnnotationImpl
+import org.jetbrains.kotlin.ir.expressions.impl.fromSymbolOwner
+import org.jetbrains.kotlin.ir.symbols.IrConstructorSymbol
+import org.jetbrains.kotlin.ir.types.IrType
+import org.jetbrains.kotlin.ir.types.addAnnotations
+
+/**
+ * Compatibility accessors for pre-2.4.0 API patterns.
+ * In 2.4.0, valueParameters/extensionReceiverParameter/extensionReceiver/
+ * getValueArgument/putValueArgument/valueArgumentsCount/typeArgumentsCount/getTypeArgument
+ * have been removed. This file provides the 2.4.0 implementations.
+ */
+
+// IrFunction: valueParameters -> parameters filtered to Regular kind
+val IrFunction.codeQlValueParameters: List<IrValueParameter>
+    get() = parameters.filter { it.kind == org.jetbrains.kotlin.ir.declarations.IrParameterKind.Regular }
+
+// IrFunction: extensionReceiverParameter
+val IrFunction.codeQlExtensionReceiverParameter: IrValueParameter?
+    get() = parameters.firstOrNull { it.kind == org.jetbrains.kotlin.ir.declarations.IrParameterKind.ExtensionReceiver }
+
+// Helper: get the offset of value arguments in the arguments list
+private fun IrMemberAccessExpression<*>.valueArgumentOffset(): Int {
+    val owner = symbol.owner as? IrFunction ?: return 0
+    return owner.parameters.count { it.kind != org.jetbrains.kotlin.ir.declarations.IrParameterKind.Regular }
+}
+
+// IrMemberAccessExpression: valueArgumentsCount
+// In 2.4.0, arguments[] includes dispatch/extension receivers before regular params
+val IrMemberAccessExpression<*>.codeQlValueArgumentsCount: Int
+    get() = arguments.size - valueArgumentOffset()
+
+// IrMemberAccessExpression: getValueArgument
+// In 2.4.0, arguments[] includes dispatch/extension receivers before regular params
+fun IrMemberAccessExpression<*>.codeQlGetValueArgument(index: Int): IrExpression? = arguments[index + valueArgumentOffset()]
+
+// IrMemberAccessExpression: putValueArgument
+// In 2.4.0, arguments[] includes dispatch/extension receivers before regular params
+fun IrMemberAccessExpression<*>.codeQlPutValueArgument(index: Int, value: IrExpression?) {
+    arguments[index + valueArgumentOffset()] = value
+}
+
+// Re-add accessor for the extensionReceiver property removed in Kotlin 2.4.0.
+val IrMemberAccessExpression<*>.codeQlExtensionReceiver: IrExpression?
+    get() {
+        val erp = extensionReceiverParameterIndex() ?: return null
+        return arguments[erp]
+    }
+
+// Find the argument index corresponding to the extension receiver parameter.
+// Calls and function references expose an IrFunction owner directly; property
+// references need to look through their getter or setter.
+private fun IrMemberAccessExpression<*>.extensionReceiverParameterIndex(): Int? {
+    // Direct function owner (IrCall, IrFunctionReference, etc.)
+    (symbol.owner as? IrFunction)?.codeQlExtensionReceiverParameter?.let {
+        return it.indexInParameters
+    }
+    // Property reference: look at getter or setter function
+    (this as? org.jetbrains.kotlin.ir.expressions.IrPropertyReference)?.let { propRef ->
+        propRef.getter?.owner?.codeQlExtensionReceiverParameter?.let {
+            return it.indexInParameters
+        }
+        propRef.setter?.owner?.codeQlExtensionReceiverParameter?.let {
+            return it.indexInParameters
+        }
+    }
+    return null
+}
+
+// IrMemberAccessExpression: typeArgumentsCount
+val IrMemberAccessExpression<*>.codeQlTypeArgumentsCount: Int
+    get() = typeArguments.size
+
+// IrMemberAccessExpression: getTypeArgument
+fun IrMemberAccessExpression<*>.codeQlGetTypeArgument(index: Int): IrType? = typeArguments[index]
+
+// addAnnotations compat: in 2.4.0, addAnnotations expects List<IrAnnotation>
+// IrConstructorCall implements IrAnnotation in 2.4.0, so filterIsInstance is identity
+fun IrType.codeQlAddAnnotations(annotations: List<IrConstructorCall>): IrType =
+    addAnnotations(annotations.filterIsInstance<IrAnnotation>())
+
+// IrMutableAnnotationContainer.annotations setter: in 2.4.0, expects List<IrAnnotation>
+fun codeQlSetAnnotations(container: org.jetbrains.kotlin.ir.declarations.IrMutableAnnotationContainer, annotations: List<IrConstructorCall>) {
+    container.annotations = annotations.filterIsInstance<IrAnnotation>()
+}
+
+// IrFunction: set dispatch receiver parameter
+// In 2.4.0, dispatchReceiverParameter is val; modify the parameters list directly.
+fun IrFunction.codeQlSetDispatchReceiverParameter(param: IrValueParameter?) {
+    val existing = parameters.indexOfFirst { it.kind == org.jetbrains.kotlin.ir.declarations.IrParameterKind.DispatchReceiver }
+    val mutableParams = parameters.toMutableList()
+    if (existing >= 0) {
+        if (param != null) {
+            mutableParams[existing] = param
+        } else {
+            mutableParams.removeAt(existing)
+        }
+    } else if (param != null) {
+        param.kind = org.jetbrains.kotlin.ir.declarations.IrParameterKind.DispatchReceiver
+        mutableParams.add(0, param)
+    }
+    parameters = mutableParams
+}
+
+// In 2.4.0, annotation lists require IrAnnotation instances.
+// Use IrAnnotationImpl.fromSymbolOwner instead of IrConstructorCallImpl.fromSymbolOwner.
+fun codeQlAnnotationFromSymbolOwner(
+    startOffset: Int, endOffset: Int, type: IrType, symbol: IrConstructorSymbol, typeArgumentsCount: Int
+): IrConstructorCall =
+    IrAnnotationImpl.fromSymbolOwner(startOffset, endOffset, type, symbol, typeArgumentsCount)
+
+fun codeQlAnnotationFromSymbolOwner(type: IrType, symbol: IrConstructorSymbol): IrConstructorCall =
+    IrAnnotationImpl.fromSymbolOwner(type, symbol)

java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_4_0/Kotlin2ComponentRegistrar.kt

@@ -0,0 +1,45 @@
+package com.github.codeql
+
+import com.intellij.mock.MockProject
+import org.jetbrains.kotlin.backend.common.extensions.IrGenerationExtension
+import org.jetbrains.kotlin.compiler.plugin.CompilerPluginRegistrar
+import org.jetbrains.kotlin.compiler.plugin.ExperimentalCompilerApi
+import org.jetbrains.kotlin.config.CompilerConfiguration
+
+@OptIn(ExperimentalCompilerApi::class)
+@Suppress("DEPRECATION", "DEPRECATION_ERROR")
+abstract class Kotlin2ComponentRegistrar :
+    CompilerPluginRegistrar(),
+    org.jetbrains.kotlin.compiler.plugin.ComponentRegistrar {
+    override val supportsK2: Boolean
+        get() = true
+
+    override val pluginId: String
+        get() = "kotlin-extractor"
+
+    // ComponentRegistrar implementation (legacy path, still called by Kotlin compiler)
+    override fun registerProjectComponents(
+        project: MockProject,
+        configuration: CompilerConfiguration
+    ) {
+        // Registration is done via ExtensionStorage in Kotlin 2.4+.
+        // This legacy entry point remains for compatibility with service discovery.
+    }
+
+    private var extensionStorage: CompilerPluginRegistrar.ExtensionStorage? = null
+
+    override fun ExtensionStorage.registerExtensions(configuration: CompilerConfiguration) {
+        this@Kotlin2ComponentRegistrar.extensionStorage = this
+        doRegisterExtensions(configuration)
+    }
+
+    abstract fun doRegisterExtensions(configuration: CompilerConfiguration)
+
+    protected fun registerExtractorExtension(extension: IrGenerationExtension) {
+        val storage = extensionStorage
+            ?: throw IllegalStateException("registerExtractorExtension called before registerExtensions")
+        with(storage) {
+            IrGenerationExtension.registerExtension(extension)
+        }
+    }
+}

java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_4_0/parameterIndexExcludingReceivers.kt

@@ -0,0 +1,13 @@
+package com.github.codeql.utils.versions
+
+import org.jetbrains.kotlin.ir.declarations.IrFunction
+import org.jetbrains.kotlin.ir.declarations.IrParameterKind
+import org.jetbrains.kotlin.ir.declarations.IrValueParameter
+
+fun parameterIndexExcludingReceivers(vp: IrValueParameter): Int {
+    val offset =
+        (vp.parent as? IrFunction)?.let { f ->
+            f.parameters.count { it.kind == IrParameterKind.DispatchReceiver || it.kind == IrParameterKind.ExtensionReceiver || it.kind == IrParameterKind.Context }
+        } ?: 0
+    return vp.indexInParameters - offset
+}

java/kotlin-extractor/src/main/resources/META-INF/services/org.jetbrains.kotlin.compiler.plugin.CompilerPluginRegistrar

@@ -0,0 +1 @@
+com.github.codeql.KotlinExtractorComponentRegistrar

java/kotlin-extractor/versions.bzl

@@ -11,6 +11,7 @@ VERSIONS = [
     "2.2.20-Beta2",
     "2.3.0",
     "2.3.20",
+    "2.4.0",
 ]
 
 def _version_to_tuple(v):

java/ql/integration-tests/java/buildless-inherit-trust-store/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/buildless-inherit-trust-store/test.py

@@ -21,6 +21,7 @@ def test(codeql, java, cwd, check_diagnostics_java):
             _env={
                 "MAVEN_OPTS": maven_opts,
                 "CODEQL_JAVA_EXTRACTOR_TRUST_STORE_PATH": str(certspath),
+                "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
             },
         )
     finally:

java/ql/integration-tests/java/buildless-maven-executable-war/buildless-fetches.expected

@@ -1,3 +1,5 @@
+https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/2.249/jenkins-war-2.249.war
 https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
@@ -10,9 +12,7 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
 https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
 https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
 https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
-https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
 https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
-https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar

java/ql/integration-tests/java/buildless-maven-executable-war/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/buildless-maven-executable-war/source_archive.expected

@@ -1,4 +1,5 @@
 pom.xml
+settings.xml
 src/main/java/com/example/App.java
 src/main/resources/my-app.properties
 src/main/resources/page.xml

java/ql/integration-tests/java/buildless-maven-executable-war/test.py

@@ -1,7 +1,10 @@
+import os
+
 def test(codeql, java, check_diagnostics_java):
     codeql.database.create(
         _env={
             "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
             "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
         }
     )

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/buildless-fetches.expected

@@ -1,3 +1,5 @@
+https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
@@ -9,9 +11,7 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
 https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
 https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
 https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
-https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
 https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
-https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/maven-fetches.expected

@@ -1,6 +1,6 @@
-Downloaded from central: https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.pom
+Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.pom
-Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
+Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
-Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
+Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.jar
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.jar

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/pom.xml

@@ -111,4 +111,30 @@
       </plugins>
     </pluginManagement>
   </build>
+
+  <!-- Use the Google Cloud Storage mirror of Maven Central for better download speeds and reliability -->
+  <repositories>
+    <repository>
+      <id>central</id>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <releases>
+        <enabled>true</enabled>
+      </releases>
+    </repository>
+  </repositories>
+  <pluginRepositories>
+    <pluginRepository>
+      <id>central</id>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <releases>
+        <enabled>true</enabled>
+      </releases>
+    </pluginRepository>
+  </pluginRepositories>
 </project>

java/ql/integration-tests/java/buildless-maven-mirrorof/buildless-fetches.expected

@@ -1,3 +1,5 @@
+https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
@@ -22,5 +24,3 @@ https://repo.maven.apache.org/maven2/org/minijax/minijax-example-websocket/0.5.1
 https://repo.maven.apache.org/maven2/org/scalamock/scalamock-examples_2.10/3.6.0/scalamock-examples_2.10-3.6.0.jar
 https://repo.maven.apache.org/maven2/org/somda/sdc/glue-examples/4.0.0/glue-examples-4.0.0.jar
 https://repo.maven.apache.org/maven2/us/fatehi/schemacrawler-examplecode/16.20.2/schemacrawler-examplecode-16.20.2.jar
-https://repo1.maven.org/maven2/junit/junit/4.11/junit-4.11.jar
-https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar

java/ql/integration-tests/java/buildless-maven-mirrorof/maven-fetches.expected

@@ -73,6 +73,6 @@ Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferst
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/7/oss-parent-7.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/9/oss-parent-9.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/spice/spice-parent/17/spice-parent-17.pom
-Downloaded from mirror-force-central: https://repo1.maven.org/maven2/junit/junit/4.11/junit-4.11.pom
+Downloaded from google-maven-central: https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.pom
-Downloaded from mirror-force-central: https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
+Downloaded from google-maven-central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
-Downloaded from mirror-force-central: https://repo1.maven.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
+Downloaded from google-maven-central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom

java/ql/integration-tests/java/buildless-maven-mirrorof/pom.xml

@@ -111,4 +111,30 @@
       </plugins>
     </pluginManagement>
   </build>
+
+  <!-- Use the Google Cloud Storage mirror of Maven Central for better download speeds and reliability -->
+  <repositories>
+    <repository>
+      <id>central</id>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <releases>
+        <enabled>true</enabled>
+      </releases>
+    </repository>
+  </repositories>
+  <pluginRepositories>
+    <pluginRepository>
+      <id>central</id>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <releases>
+        <enabled>true</enabled>
+      </releases>
+    </pluginRepository>
+  </pluginRepositories>
 </project>

java/ql/integration-tests/java/buildless-maven-mirrorof/settings-xml.expected

@@ -5,11 +5,11 @@
             
         <mirror>
                   
-            <id>mirror-force-central</id>
+            <id>google-maven-central</id>
                   
-            <name>Mirror Repository</name>
+            <name>GCS Maven Central mirror</name>
                   
-            <url>https://repo1.maven.org/maven2</url>
+            <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
                   
             <mirrorOf>*,!codeql-depgraph-plugin-repo</mirrorOf>
                 

java/ql/integration-tests/java/buildless-maven-mirrorof/settings.xml

@@ -1,9 +1,9 @@
 <settings>
   <mirrors>
     <mirror>
-      <id>mirror-force-central</id>
+      <id>google-maven-central</id>
-      <name>Mirror Repository</name>
+      <name>GCS Maven Central mirror</name>
-      <url>https://repo1.maven.org/maven2</url>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
       <mirrorOf>*</mirrorOf>
     </mirror>
   </mirrors>

java/ql/integration-tests/java/buildless-maven-multimodule/buildless-fetches.expected

@@ -1,3 +1,6 @@
+https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
@@ -9,10 +12,7 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
 https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
 https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
 https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
-https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
 https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar
-https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar

java/ql/integration-tests/java/buildless-maven-multimodule/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/buildless-maven-multimodule/source_archive.expected

@@ -1,4 +1,5 @@
 pom.xml
+settings.xml
 submod1/pom.xml
 submod1/src/main/java/com/example/App.java
 submod1/src/main/resources/my-app.properties

java/ql/integration-tests/java/buildless-maven-multimodule/test.py

@@ -1,7 +1,10 @@
+import os
+
 def test(codeql, java, check_diagnostics_java):
     codeql.database.create(
         _env={
             "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
             "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
         }
     )

java/ql/integration-tests/java/buildless-maven-timeout/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/buildless-maven-timeout/source_archive.expected

@@ -1,5 +1,6 @@
 .mvn/wrapper/maven-wrapper.properties
 pom.xml
+settings.xml
 src/main/java/com/example/App.java
 src/main/resources/my-app.properties
 src/main/resources/page.xml

java/ql/integration-tests/java/buildless-maven-timeout/test.py

@@ -1,6 +1,11 @@
+import os
+
 def test(codeql, java, check_diagnostics_java):
     # mvnw has been rigged to stall for a long time by trying to fetch from a black-hole IP. We should find the timeout logic fires and buildless aborts the Maven run quickly.
     codeql.database.create(
         build_mode="none",
-        _env={"CODEQL_EXTRACTOR_JAVA_BUILDLESS_CHILD_PROCESS_IDLE_TIMEOUT": "5"},
+        _env={
+            "CODEQL_EXTRACTOR_JAVA_BUILDLESS_CHILD_PROCESS_IDLE_TIMEOUT": "5",
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
+        },
     )

java/ql/integration-tests/java/buildless-maven-tolerate-unavailable-dependency/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/buildless-maven-tolerate-unavailable-dependency/test.py

@@ -1,4 +1,9 @@
+import os
+
 def test(codeql, java, check_diagnostics_java):
     codeql.database.create(
         build_mode="none",
+        _env={
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
+        }
     )

java/ql/integration-tests/java/buildless-maven/buildless-fetches.expected

@@ -1,3 +1,5 @@
+https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
@@ -9,9 +11,7 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
 https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
 https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
 https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
-https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
 https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
-https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar

java/ql/integration-tests/java/buildless-maven/maven-fetches.expected

@@ -1,6 +1,6 @@
-Downloaded from central: https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.pom
+Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.pom
-Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
+Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
-Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
+Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.jar
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.jar

java/ql/integration-tests/java/buildless-maven/pom.xml

@@ -111,4 +111,30 @@
       </plugins>
     </pluginManagement>
   </build>
+
+  <!-- Use the Google Cloud Storage mirror of Maven Central for better download speeds and reliability -->
+  <repositories>
+    <repository>
+      <id>central</id>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <releases>
+        <enabled>true</enabled>
+      </releases>
+    </repository>
+  </repositories>
+  <pluginRepositories>
+    <pluginRepository>
+      <id>central</id>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <releases>
+        <enabled>true</enabled>
+      </releases>
+    </pluginRepository>
+  </pluginRepositories>
 </project>

java/ql/integration-tests/java/buildless-proxy-maven/buildless-fetches.expected

@@ -1,3 +1,5 @@
+https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
@@ -9,9 +11,7 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
 https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
 https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
 https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
-https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
 https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
-https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar

java/ql/integration-tests/java/buildless-proxy-maven/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/buildless-proxy-maven/source_archive.expected

@@ -1,4 +1,5 @@
 pom.xml
+settings.xml
 src/main/java/com/example/App.java
 src/main/resources/my-app.properties
 src/main/resources/page.xml

java/ql/integration-tests/java/buildless-proxy-maven/test.py

@@ -1,7 +1,10 @@
+import os
+
 def test(codeql, java, codeql_mitm_proxy, check_diagnostics_java):
     codeql.database.create(
         _env={
             "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
             "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
         }
     )

java/ql/integration-tests/java/buildless-snapshot-repository/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/buildless-snapshot-repository/test.py

@@ -1,3 +1,4 @@
+import os
 import subprocess
 import runs_on
 
@@ -15,7 +16,10 @@ def test(codeql, java):
     try:
         codeql.database.create(
             extractor_option="buildless=true",
-            _env={"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true"},
+            _env={
+                "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
+                "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
+            },
         )
     finally:
         repo_server_process.kill()

java/ql/integration-tests/java/maven-add-exports-module-flags/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/maven-add-exports-module-flags/source_archive.expected

@@ -1,3 +1,4 @@
 pom.xml
+settings.xml
 src/main/java/com/example/CompilerUser.java
 target/maven-archiver/pom.properties

java/ql/integration-tests/java/maven-add-exports-module-flags/test.py

@@ -1,2 +1,9 @@
+import os
+
 def test(codeql, java, actions_toolchains_file):
-    codeql.database.create(_env={"LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file)})
+    codeql.database.create(
+        _env={
+            "LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file),
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
+        }
+    )

java/ql/integration-tests/java/maven-download-failure/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/maven-download-failure/source_archive.expected

@@ -1,4 +1,5 @@
 pom.xml
+settings.xml
 src/main/java/com/example/App.java
 src/main/resources/my-app.properties
 src/main/resources/page.xml

java/ql/integration-tests/java/maven-download-failure/test.py

@@ -9,6 +9,7 @@ def test(codeql, java, check_diagnostics_java):
     runenv = {
         "PATH": os.path.realpath(os.path.dirname(__file__)) + os.pathsep + os.getenv("PATH"),
         "REAL_MVN_PATH": shutil.which("mvn"),
+        "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
     }
     del os.environ["NoDefaultCurrentDirectoryInExePath"]
     codeql.database.create(build_mode = "none", _env = runenv)

java/ql/integration-tests/java/maven-enforcer-multiple-versions/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/maven-enforcer-multiple-versions/source_archive.expected

@@ -1,4 +1,5 @@
 pom.xml
+settings.xml
 src/main/java/com/example/App.java
 src/main/resources/my-app.properties
 src/main/resources/page.xml

java/ql/integration-tests/java/maven-enforcer-multiple-versions/test.py

@@ -1,2 +1,8 @@
+import os
+
 def test(codeql, java):
-    codeql.database.create()
+    codeql.database.create(
+        _env={
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
+        },
+    )

java/ql/integration-tests/java/maven-enforcer-single-version/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/maven-enforcer-single-version/source_archive.expected

@@ -1,4 +1,5 @@
 pom.xml
+settings.xml
 src/main/java/com/example/App.java
 src/main/resources/my-app.properties
 src/main/resources/page.xml

java/ql/integration-tests/java/maven-enforcer-single-version/test.py

@@ -1,2 +1,8 @@
+import os
+
 def test(codeql, java):
-    codeql.database.create()
+    codeql.database.create(
+        _env={
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
+        },
+    )

java/ql/integration-tests/java/maven-enforcer/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/maven-enforcer/source_archive.expected

@@ -1,4 +1,5 @@
 pom.xml
+settings.xml
 src/main/java/com/example/App.java
 src/main/resources/my-app.properties
 src/main/resources/page.xml

java/ql/integration-tests/java/maven-enforcer/test.py

@@ -1,2 +1,8 @@
+import os
+
 def test(codeql, java):
-    codeql.database.create()
+    codeql.database.create(
+        _env={
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
+        },
+    )

java/ql/integration-tests/java/maven-execution-specific-java-version/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/maven-execution-specific-java-version/source_archive.expected

@@ -1,4 +1,5 @@
 pom.xml
+settings.xml
 src/main/java/com/example/App.java
 src/test/java/com/example/AppTest.java
 target/maven-archiver/pom.properties

java/ql/integration-tests/java/maven-execution-specific-java-version/test.py

@@ -1,2 +1,9 @@
+import os
+
 def test(codeql, java, actions_toolchains_file):
-    codeql.database.create(_env={"LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file)})
+    codeql.database.create(
+        _env={
+            "LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file),
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
+        }
+    )

java/ql/integration-tests/java/maven-java16-with-higher-jdk/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/maven-java16-with-higher-jdk/source_archive.expected

@@ -1,3 +1,4 @@
 pom.xml
+settings.xml
 src/main/java/com/example/App.java
 target/maven-archiver/pom.properties

java/ql/integration-tests/java/maven-java16-with-higher-jdk/test.py

@@ -1,2 +1,9 @@
+import os
+
 def test(codeql, java, actions_toolchains_file):
-    codeql.database.create(_env={"LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file)})
+    codeql.database.create(
+        _env={
+            "LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file),
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
+        }
+    )

java/ql/integration-tests/java/maven-java8-java11-dependency/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/maven-java8-java11-dependency/source_archive.expected

@@ -1,4 +1,5 @@
 pom.xml
+settings.xml
 src/main/java/com/example/Calculator.java
 src/test/java/com/example/CalculatorTest.java
 target/maven-archiver/pom.properties

java/ql/integration-tests/java/maven-java8-java11-dependency/test.py

@@ -1,2 +1,9 @@
+import os
+
 def test(codeql, java, actions_toolchains_file):
-    codeql.database.create(_env={"LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file)})
+    codeql.database.create(
+        _env={
+            "LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file),
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
+        }
+    )

java/ql/integration-tests/java/maven-multimodule-test-java-version/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/maven-multimodule-test-java-version/source_archive.expected

@@ -2,6 +2,7 @@ main-module/pom.xml
 main-module/src/main/java/com/example/App.java
 main-module/target/maven-archiver/pom.properties
 pom.xml
+settings.xml
 test-module/pom.xml
 test-module/src/main/java/com/example/tests/TestUtils.java
 test-module/target/maven-archiver/pom.properties

java/ql/integration-tests/java/maven-sample-extract-properties/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/maven-sample-extract-properties/source_archive.expected

@@ -1,4 +1,5 @@
 pom.xml
+settings.xml
 src/main/java/com/example/App.java
 src/main/resources/my-app.properties
 src/main/resources/page.xml