added a guide and screenshot of owasp-zap tool and added sonarqube service in docker-compose

newlight77 · newlight77 · commit ffcaccf37cb9 · 2019-10-06T11:52:01.000+02:00
diff --git a/README.md b/README.md
@@ -4,51 +4,42 @@ This is a "Vulnerable" Web Application developed by Cyber Security and Privacy F
 
 ## Prerequisites:
 
-- git
-- docker docker-compose
-- vagrant
+- [git](https://git-scm.com/downloads)
+- with [Docker](https://docs.docker.com/install/), [docker-compose](https://docs.docker.com/compose/install/) and [Vagrant](https://www.vagrantup.com/docs/installation/)
+- or [JDK8+](https://openjdk.java.net/install/), [Maven](http://maven.apache.org/install.html) and [tomcat 8](https://tomcat.apache.org/tomcat-8.5-doc/setup.html)
 
 ## Deploy it
 
-1. Using Docker to run on a machine :
+There are many easy way to deploy this application.
+
+1. Using Vagrant to run this application in a VM (containers are launched inside it, as describe in option #2) :
 
 ```sh
 git clone https://github.com/softwaresecured/JavaVulnerableLab.git
 cd JavaVulnerableLab
-docker-compose up
+vagrant up
 ```
 
-2. Using Vagrant to run this application in a VM (containers are launched inside it) :
+2. Using Docker to run on a machine :
 
 ```sh
 git clone https://github.com/softwaresecured/JavaVulnerableLab.git
 cd JavaVulnerableLab
-vagrant up
+docker-compose up -d javavulnlab mysql
 ```
 
 3. If not using Docker at all, you'll need to the JDBC URL in `config.properties` and `install.jsp` from :
 
 ```
-dburl=jdbc:mysql://mysql:3306/
-```
-
-to this :
-
-```
-jdbc:mysql://localhost:3306 
+dburl=jdbc:mysql://mysql:3306/  => jdbc:mysql://localhost:3306 
 ```
 
 4. If you want to play with it on a VPS, you'll need to the JDBC URL in `config.properties` and `install.jsp` from :
                                       
 ```
-dburl=jdbc:mysql://mysql:3306/
+dburl=jdbc:mysql://mysql:3306/  => jdbc:mysql://SERVER_HOSTNAME_OR_IP_ADDRESS:3306 
 ```
 
-to this :
-
-```
-jdbc:mysql://IP_ADDRESS:3306 
-```
 And the link at next step will require the server hostname or IP address.
 
 5. You already have a tomcat, and want to deploy the application with a war. 
@@ -65,9 +56,11 @@ And the link at next step will require the server hostname or IP address.
 
 2. And click on `Install` button, by leaving default values as-is.
 
-## Vulnerabilties Metrics
+## Vulnerabilities Scan
 
-OWASP comes with a Zed Attack Proxy (ZAP) tool to scan the vulnerabilities. We can use a ZAP Plugin for SonarQube 7.x to do just that. If you are interested in doing so, please refer to [this](./sonarqube/sonarqube.md) 
+The Open Web Application Security Project (OWASP) team recommends many [tools](https://www.owasp.org/index.php/Appendix_A:_Testing_Tools) to address security matters. 
+One of the most popular is the OWASP `Zed Attack Proxy` (**ZAP**) tool to scan the vulnerabilities. please refer to [this guideline](docs/owasp-zap.md). 
+Also, if you need to automate everything in your Continuous Integration and Continuous Delivery (**CI/CD**) toolchain, you can go through this [this guideline](docs/sonarqube.md).
 
 ## Notes
 
diff --git a/Vagrantfile b/Vagrantfile
@@ -31,7 +31,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     cd /vagrant
     /usr/local/bin/docker-compose down
     /usr/local/bin/docker-compose build
-    /usr/local/bin/docker-compose up -d
+    /usr/local/bin/docker-compose up -d javavulnlab mysql
   SHELL
 
  end
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -11,3 +11,9 @@ mysql:
     - 3306:3306
   environment:
     - MYSQL_ROOT_PASSWORD=root
+
+sonarqube:
+    build: ./sonarqube
+    ports:
+      - 9000:9000
+      - 9092:9092
diff --git a/docs/assets/Java-SonarQube-OWASP-Vulnerabilities.png b/docs/assets/Java-SonarQube-OWASP-Vulnerabilities.png
diff --git a/docs/assets/owasp-zap-2.8.0-screenshot.png b/docs/assets/owasp-zap-2.8.0-screenshot.png
diff --git a/docs/owasp-zap.md b/docs/owasp-zap.md
@@ -0,0 +1,14 @@
+# OWASP Zap Tool
+
+The Open Web Application Security Project (OWASP) provides a security tool, called `Zed Attack Proxy` (**ZAP**) to scan the vulnerabilities.
+OWASP ZAP is one of the most popular security tools and is actively maintained. It comes with a UI and it allows to launch an automated scan against a URL of a web application - for example [http://localhost:8080](http://localhost:8080).
+
+![Alt Text](assets/owasp-zap-2.8.0-screenshot.png)
+
+You may download it [here](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project).
+
+But in the software industry, we may want to automate to this inside the Continuous Integration and Continuous Delivery (**CI/CD**) toolchain. Generally, SonarQube is used to gather metrics related to the software quality and vulnerabilities. 
+
+
+Here, we can use a[ ZAP Plugin](https://github.com/Coveros/zap-sonar-plugin) for SonarQube 7.x to do just that. If you are interested in doing so, please refer to [this guideline](sonarqube.md).
+
diff --git a/docs/sonarqube.md b/docs/sonarqube.md
@@ -34,7 +34,15 @@ We can use a plugin that has been developed by Gene Gotimer ([zap-sonar-plugin](
 
 ## SonarQube instance
 
-In order to be able to scan the code for vulnerabilities as well as for code qualimetry (coverage, duplication...), we need a running instance of SonarQube. Here we are using Docker to provide that instance, and by the way we do have to create a Dockerfile adding the Zap-Proxy plugin jar on top of SonarQube docker image `sonarqube:lts`. The Current LTS version is 7.9.
+In order to be able to scan the code for vulnerabilities as well as for code qualimetry (coverage, duplication...), we need a running instance of SonarQube. 
+Here we can use Docker to provide that instance. It's the simpliest way. The sonarqube/Dockerfile is doing the job for you. Within the Dockerfile, the Zap-Proxy plugin jar is added. As per the time this is written, that plugin requires the current LTS version is 7.9 of SonarQube. 
+
+You may run the below commands on the machine (Vagrant VM, or VPS, local machine) :
+
+```
+docker-compose build sonarqube
+docker-compose up -d sonarqube
+```
 
 ## Run a scan
 
@@ -44,10 +52,10 @@ Run this command to analyse the codebase :
 mvn sonar:sonar
 ```
 
-It connected to the SonarQube server to retrieve informations, such as rules and plugins to apply while scanning the code.
+It connects to the SonarQube server to retrieve information, such as rules and plugins to apply while scanning the code.
 
 ## Quality Metrics
 
 Once this is done, we can see the metrics on SonarQube [Dashboard](http://127.0.0.1:9000/project/issues?id=org.cysecurity%3AJavaVulnerableLab&resolved=false&sonarsourceSecurity=sql-injection&types=SECURITY_HOTSPOT)
 
-![Alt Text](./Java-SonarQube-OWASP-Vulnerabilities.png)
+![Alt Text](assets/Java-SonarQube-OWASP-Vulnerabilities.png)
