Fix vulnerable components lesson for Java 16.

docker/start.sh

@@ -4,7 +4,17 @@ cd /home/webgoat
 service nginx start
 sleep 1
 echo "Starting WebGoat..."
-java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webgoat.jar --webgoat.build.version=$1 --server.address=0.0.0.0  > webgoat.log &
+
+java \
+ -Duser.home=/home/webgoat \
+ -Dfile.encoding=UTF-8 \
+ --add-opens java.base/java.util=ALL-UNNAMED \
+ --add-opens java.base/java.lang.reflect=ALL-UNNAMED \
+ --add-opens java.base/java.text=ALL-UNNAMED \
+ --add-opens java.desktop/java.awt.font=ALL-UNNAMED \
+ --add-opens java.base/sun.nio.ch=ALL-UNNAMED \
+ --add-opens java.base/java.io=ALL-UNNAMED \
+ -jar webgoat.jar --webgoat.build.version="$1" --server.address=0.0.0.0 > webgoat.log &
 
 sleep 10
 

webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc

@@ -1,5 +1,7 @@
 == Exploiting http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7285[CVE-2013-7285] (XStream)
 
+NOTE: This lesson only works when you are using the Docker image of WebGoat.
+
 WebGoat uses an XML document to add contacts to a contacts database.  
 [source,xml]
 ----