fine-tuning readme and sonar quide

Author: newlight77

README.md

@@ -1,10 +1,11 @@
-# Java Vulnerabilities Experiment
+# Java Vulnerabilities Lab
 
-This is a "Vulnerable" Web Application developed by Cyber Security and Privacy Foundation(www.cysecurity.org). This app is intended for the Java Programmers and other people who wish to learn about Web application vulnerabilities and write secure code.
+This is a **vulnerable** Web Application developed by [Cyber Security and Privacy Foundation](www.cysecurity.org). 
+This app is intended for the Java Developers and other people who wish to learn about Web Application vulnerabilities or simply write secure code because they are concerned about security - and **`everyone should!`**.
 
 ## Prerequisites:
 
-- [git](https://git-scm.com/downloads)
+- [Git](https://git-scm.com/downloads)
 - with [Docker](https://docs.docker.com/install/), [docker-compose](https://docs.docker.com/compose/install/) and [Vagrant](https://www.vagrantup.com/docs/installation/)
 - or [JDK8+](https://openjdk.java.net/install/), [Maven](http://maven.apache.org/install.html) and [tomcat 8](https://tomcat.apache.org/tomcat-8.5-doc/setup.html)
 
@@ -58,17 +59,17 @@ And the link at next step will require the server hostname or IP address.
 
 ## Vulnerabilities Scan
 
-The Open Web Application Security Project (OWASP) team recommends many [tools](https://www.owasp.org/index.php/Appendix_A:_Testing_Tools) to address security matters. 
-One of the most popular is the OWASP `Zed Attack Proxy` (**ZAP**) tool to scan the vulnerabilities. please refer to [this guideline](docs/owasp-zap.md). 
-Also, if you need to automate everything in your Continuous Integration and Continuous Delivery (**CI/CD**) toolchain, you can go through this [this guideline](docs/sonarqube.md).
+The Open Web Application Security Project (OWASP) team recommends many [tools](https://www.owasp.org/index.php/Appendix_A:_Testing_Tools) to address security matters, allowing to scan the vulnerabilities of Web Applications.
+One of the most popular is OWASP `Zed Attack Proxy` (**ZAP**). Please refer to this [guideline](docs/owasp-zap.md) for more details.
+Also, if you need to automate everything in your Continuous Integration and Continuous Delivery (**CI/CD**) toolchain, you can go through this [guideline](docs/sonarqube.md).
 
 ## Notes
 
 **The full course on Hacking and Securing Web Java Programs is available in** 
 
 https://www.udemy.com/hacking-securing-java-web-programming/
 
-**Warning**: It's not recommanded to run this app in `Your Main Machine` or in an `online server`.  Prefer using Docker or a VM (vagrant).
+**Warning**: It's not recommended to run this app in `Your Main Machine` or in an `online server`.  Prefer using Docker or a VM (vagrant).
 
 You can also get the VulnerableSpring Project from [here](https://github.com/CSPF-Founder/VulnerableSpring).
 

docs/owasp-zap.md

@@ -1,7 +1,7 @@
 # OWASP Zap Tool
 
 The Open Web Application Security Project (OWASP) provides a security tool, called `Zed Attack Proxy` (**ZAP**) to scan the vulnerabilities.
-OWASP ZAP is one of the most popular security tools and is actively maintained. It comes with a UI and it allows to launch an automated scan against a URL of a web application - for example [http://localhost:8080](http://localhost:8080).
+OWASP ZAP is one of the most popular security tools and is actively maintained. It comes with a UI and it allows to launch an automated scan against a URL of a web application - for example [http://localhost:8080/JavaVulnerableLab](http://localhost:8080/JavaVulnerableLab).
 
 ![Alt Text](assets/owasp-zap-2.8.0-screenshot.png)
 

docs/sonarqube.md

@@ -48,14 +48,36 @@ docker-compose up -d sonarqube
 
 Run this command to analyse the codebase :
 
+If using Vagrant :
+
+```sh
+vagrant ssh
+sudo su -
+cd /vagrant
+docker-compose up -d sonarqube
+sleep 5
+docker exec vagrant_javavulnlab_1 mvn sonar:sonar -Dsonar.host.url=http://192.168.10.10:9000
+```
+
+If SonarQube is running inside a container on a VM :
+
+```sh
+docker exec javavulnerablelab_javavulnlab_1 mvn sonar:sonar -Dsonar.host.url=http://HOSTNAME_OR_IP_ADDRESS:9000
+```
+
+If you are directly on a machine :
+
 ```sh
 mvn sonar:sonar
 ```
 
-It connects to the SonarQube server to retrieve information, such as rules and plugins to apply while scanning the code.
+Here, by default it connects to http://localhost:9000.
+
+It connects to the SonarQube server to retrieve information, such as rules and plugins to apply while scanning the code. 
+Once the scan is completed, the resulting metrics are sent to the SonarQube server. Then you may see the dashboard [here](http://localhost:9000).
 
 ## Quality Metrics
 
-Once this is done, we can see the metrics on SonarQube [Dashboard](http://127.0.0.1:9000/project/issues?id=org.cysecurity%3AJavaVulnerableLab&resolved=false&sonarsourceSecurity=sql-injection&types=SECURITY_HOTSPOT)
+Once this is done, we can see the [vulnerabilities](http://127.0.0.1:9000/project/issues?id=org.cysecurity%3AJavaVulnerableLab&resolved=false&sonarsourceSecurity=sql-injection&types=SECURITY_HOTSPOT) metrics on SonarQube.
 
 ![Alt Text](assets/Java-SonarQube-OWASP-Vulnerabilities.png)