VM was built to provide “Executable architecture” for Java Static Application Security Testing (SAST) scanning and vulnerabilities remediation - as proof-of-concept and quick start or learning environment for the Java developers/security experts looking to enhance code quality and security by applying open-source static code analysis tool. I used SonarCube Community Edition
V10.6 (latest free edition) against the latest codebase of the OWASP WebGoat - both real-life project with considerable codebase
To demonstrate how you could start remediation by targeting most severe “Security Hotspots” (in SonarCube lingo it’s highlights of potential severe vulnerabilities) I did a quick tour on SonarCube web UI digging in to SQLInjection: https://www.youtube.com/watch?v=yBeJr38DAFE