Add CI/CD security scanning and memory leak documentation

Flossy · claude · Scot P. Floess · commit da759fbe67d4 · 2026-05-23T23:54:46.000-04:00
Issue #23 - Add CI/CD Security Scanning: - Add CodeQL security scanning workflow (.github/workflows/codeql.yml) - Runs on push to main, pull requests, and weekly schedule - Uses security-extended and security-and-quality queries - Analyzes Java code for security vulnerabilities - Add OWASP Dependency-Check to main workflow - Scans dependencies for known CVEs - Fails build on CVSS score >= 7 (high/critical) - Uploads dependency check report as artifact - Set to continue-on-error to not block deployments initially Issue #27 - Add Memory Leak Documentation: - Comprehensive memory leak prevention documentation in JClassLoader javadoc - Hot reload best practices with code examples - Memory leak detection techniques - Common memory leak causes (ThreadLocal, static caches, thread pools) - Proper cleanup examples (try-with-resources, null references, close()) - Examples showing correct vs incorrect hot reload patterns Benefits: - Automated security vulnerability detection - Dependency vulnerability scanning - Users educated on memory leak prevention - Clear hot reload implementation guidance Fixes #23, #27 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,51 @@
+name: "CodeQL Security Scanning"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    # Run at 2:30 AM every Monday
+    - cron: '30 2 * * 1'
+
+jobs:
+  analyze:
+    name: Analyze Code Security
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java' ]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup JDK 21
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '21'
+
+      # Initialize CodeQL
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-extended,security-and-quality
+
+      # Build the project
+      - name: Build with Maven
+        run: mvn clean compile -DskipTests
+
+      # Perform CodeQL Analysis
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -61,6 +61,18 @@ jobs:
       - name: Building
         run: "mvn -U clean install"
 
+      - name: OWASP Dependency Check
+        run: "mvn org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7"
+        continue-on-error: true
+
+      - name: Upload Dependency Check Report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-check-report
+          path: target/dependency-check-report.html
+          retention-days: 30
+
       - name: Deploy to packagecloud.io
         run: "mvn -DskipTests deploy"
 
diff --git a/src/main/java/org/flossware/jclassloader/JClassLoader.java b/src/main/java/org/flossware/jclassloader/JClassLoader.java
@@ -17,13 +17,74 @@
  * Custom ClassLoader supporting multiple class sources with caching and lifecycle management.
  * Implements AutoCloseable for proper resource cleanup and memory leak prevention.
  *
- * IMPORTANT: Always close this ClassLoader when done to prevent memory leaks,
- * especially in hot reload scenarios. Use try-with-resources:
- * <pre>
- * try (JClassLoader loader = JClassLoader.builder()...build()) {
- *     // Use loader
- * }  // Automatically closed
- * </pre>
+ * <h2>Memory Leak Prevention</h2>
+ * <p><b>CRITICAL:</b> ClassLoaders can cause memory leaks if not properly managed. This ClassLoader
+ * holds strong references to all loaded classes, which prevents those classes (and their static fields)
+ * from being garbage collected until the ClassLoader itself is collected.</p>
+ *
+ * <h3>Always Close When Done</h3>
+ * <p>Use try-with-resources to ensure proper cleanup:</p>
+ * <pre>{@code
+ * try (JClassLoader loader = JClassLoader.builder()
+ *         .addLocalSource("/path/to/classes")
+ *         .build()) {
+ *     Class<?> clazz = loader.loadClass("com.example.MyClass");
+ *     // Use the class
+ * }  // Automatically closes and releases resources
+ * }</pre>
+ *
+ * <h3>Hot Reload / Class Reloading Scenarios</h3>
+ * <p>When implementing hot reload or dynamic class reloading:</p>
+ * <ol>
+ *   <li><b>Create a new ClassLoader for each reload</b> - Don't reuse ClassLoaders</li>
+ *   <li><b>Close the old ClassLoader</b> - Call {@link #close()} on the old loader</li>
+ *   <li><b>Clear all references</b> - Null out references to classes from the old loader</li>
+ *   <li><b>Avoid static state</b> - Static fields in loaded classes prevent GC</li>
+ *   <li><b>Be careful with ThreadLocal</b> - Can leak ClassLoader references</li>
+ * </ol>
+ *
+ * <p><b>Example - Proper Hot Reload:</b></p>
+ * <pre>{@code
+ * // Old way (MEMORY LEAK - old ClassLoader never released):
+ * JClassLoader loader = JClassLoader.builder()...build();
+ * // ... use loader ...
+ * loader = JClassLoader.builder()...build();  // OLD LOADER LEAKED!
+ *
+ * // Correct way:
+ * JClassLoader oldLoader = currentLoader;
+ * JClassLoader newLoader = JClassLoader.builder()...build();
+ *
+ * // Switch to new loader
+ * currentLoader = newLoader;
+ *
+ * // Release old loader and all its classes
+ * if (oldLoader != null) {
+ *     oldLoader.close();  // Close resources
+ *     oldLoader = null;   // Clear reference
+ * }
+ * System.gc();  // Suggest GC (doesn't guarantee collection)
+ * }</pre>
+ *
+ * <h3>Memory Leak Detection</h3>
+ * <p>To detect ClassLoader leaks in your application:</p>
+ * <ul>
+ *   <li>Use heap dumps and memory profilers (VisualVM, YourKit, JProfiler)</li>
+ *   <li>Look for multiple instances of the same ClassLoader class</li>
+ *   <li>Check for references from Thread contexts, static fields, or caches</li>
+ *   <li>Monitor {@link #isClosed()} - closed loaders should be GC'd</li>
+ * </ul>
+ *
+ * <h3>Common Memory Leak Causes</h3>
+ * <ul>
+ *   <li><b>ThreadLocal variables</b> holding class references</li>
+ *   <li><b>Static caches</b> holding instances from dynamically loaded classes</li>
+ *   <li><b>Logging frameworks</b> holding references to logger instances</li>
+ *   <li><b>Thread pools</b> with threads created by loaded classes</li>
+ *   <li><b>Weak/Soft reference caches</b> not cleared on reload</li>
+ * </ul>
+ *
+ * @see #close()
+ * @see #isClosed()
  */
 public class JClassLoader extends ClassLoader implements AutoCloseable {
     private final List<ClassSource> classSources;
