From 4b0456e8aa9303871135a6e9b13d9eb32586b009 Mon Sep 17 00:00:00 2001
From: orlyk <orly.kilidgan@checkmarx.com>
Date: Thu, 1 Oct 2020 11:12:21 +0300
Subject: [PATCH 1/7] Add test for state in github comments

---
 build-11.gradle                               |  2 +-
 build.gradle                                  |  2 +-
 .../github2ado/Github2AdoSteps.java           | 50 ++++++++++++++++++-
 .../azure/github2ado/github2ado.feature       | 22 +++++++-
 4 files changed, 70 insertions(+), 6 deletions(-)

diff --git a/build-11.gradle b/build-11.gradle
index 7bca10e15..e870407c2 100644
--- a/build-11.gradle
+++ b/build-11.gradle
@@ -2,7 +2,7 @@ import org.gradle.api.tasks.testing.Test
 
 buildscript {
 	ext {
-        CxSBSDK = "0.4.45"
+        CxSBSDK = "0.4.46"
         //cxVersion = "8.90.5"
         springBootVersion = '2.2.6.RELEASE'
         sonarqubeVersion = '2.8'
diff --git a/build.gradle b/build.gradle
index c196586ee..7c83e14f3 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,6 +1,6 @@
 buildscript {
     ext {
-        CxSBSDK = "0.4.45"
+        CxSBSDK = "0.4.46"
         //cxVersion = "8.90.5"
         springBootVersion = '2.2.6.RELEASE'
         sonarqubeVersion = '2.8'
diff --git a/src/test/java/com/checkmarx/flow/cucumber/integration/azure/publishing/github2ado/Github2AdoSteps.java b/src/test/java/com/checkmarx/flow/cucumber/integration/azure/publishing/github2ado/Github2AdoSteps.java
index 6fe4c8033..553593a24 100644
--- a/src/test/java/com/checkmarx/flow/cucumber/integration/azure/publishing/github2ado/Github2AdoSteps.java
+++ b/src/test/java/com/checkmarx/flow/cucumber/integration/azure/publishing/github2ado/Github2AdoSteps.java
@@ -16,9 +16,12 @@
 import com.checkmarx.sdk.config.Constants;
 import com.checkmarx.sdk.config.CxProperties;
 import com.checkmarx.sdk.dto.ScanResults;
+import com.checkmarx.sdk.dto.ast.ASTResults;
+import com.cx.restclient.ast.dto.sast.report.Finding;
 import com.checkmarx.sdk.dto.cx.CxScanSummary;
 import com.checkmarx.sdk.exception.CheckmarxException;
 import com.checkmarx.sdk.service.CxClient;
+import com.cx.restclient.ast.dto.sast.AstSastResults;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import io.cucumber.java.Before;
@@ -50,6 +53,11 @@
 public class Github2AdoSteps {
     public static final String GITHUB_USER = "cxflowtestuser";
     public static final String AZURE = "Azure";
+    private static final String AST = "AST";
+    private static final String WEB_REPORT_LINK = "http://fake.co.il";
+    private static final String SAST = "SAST";
+    private static final String TO_VERIFY = "TO_VERIFY";
+    private static final String DESCRIPTION_AST = "Description AST";
 
     private final CxClient cxClientMock;
     private final GitHubService gitHubService;
@@ -81,6 +89,8 @@ public class Github2AdoSteps {
     @Autowired
     private ApplicationContext applicationContext;
     
+    private String scannerType;
+
     public Github2AdoSteps(FlowProperties flowProperties, GitHubService gitHubService,
                            CxProperties cxProperties, GitHubProperties gitHubProperties,
                            ConfigurationOverrider configOverrider, FlowService flowService,
@@ -214,7 +224,7 @@ public void validateIssues(String project, String namespace){
     @And("description field is populated")
     public void validateDescription() throws IOException {
         azureDevopsClient.getIssues().forEach(issue -> {
-            Assert.assertTrue(issue.getBody().toLowerCase().contains("description"));
+            Assert.assertTrue(issue.getBody().toLowerCase().contains(DESCRIPTION_AST));
         });
     }
 
@@ -318,6 +328,19 @@ private void initResultsServiceMock() {
                 cxProperties));
     }
 
+    @And("Scanner is AST")
+    public void setScannerAST(){
+        this.scannerType = AST;
+        flowProperties.setEnabledVulnerabilityScanners(Arrays.asList(AST));
+    }
+
+    @And("Scanner is CX-SAST")
+    public void setScannerSAST(){
+        this.scannerType = SAST;
+        flowProperties.setEnabledVulnerabilityScanners(Arrays.asList(SAST));
+
+    }
+    
     private ScanResults createFakeResults() {
         ScanResults result = new ScanResults();
         
@@ -326,6 +349,9 @@ private ScanResults createFakeResults() {
         Map<String, Object> details = new HashMap<>();
         details.put(Constants.SUMMARY_KEY, new HashMap<>());
 
+        if(scannerType.equals(AST)){
+            createAftFindings(result);
+        }
         result.setAdditionalDetails(details);
         
         result.setXIssues(ScanResultsBuilder.get2XIssues());
@@ -333,7 +359,27 @@ private ScanResults createFakeResults() {
         return result;
     }
 
-    
+    private void createAftFindings(ScanResults result) {
+        result.setAstResults(new ASTResults());
+        result.getAstResults().setResults(new AstSastResults());
+        result.getAstResults().getResults().setScanId("111");
+        result.getAstResults().getResults().setWebReportLink(WEB_REPORT_LINK);
+        LinkedList<Finding> findings = new LinkedList();
+        Finding f1 = new Finding();
+        f1.setDescription(DESCRIPTION_AST + " 1");
+        f1.setState(TO_VERIFY);
+
+        Finding f2 = new Finding();
+        f2.setDescription(DESCRIPTION_AST + " 2");
+        f2.setState(TO_VERIFY);
+
+        findings.add(f1);
+        findings.add(f2);
+
+        result.getAstResults().getResults().setFindings(findings);
+    }
+
+
     /**
      * Returns scan results as if they were produced by SAST.
      */
diff --git a/src/test/resources/cucumber/features/integrationTests/azure/github2ado/github2ado.feature b/src/test/resources/cucumber/features/integrationTests/azure/github2ado/github2ado.feature
index 447e4d281..d5859fcf8 100644
--- a/src/test/resources/cucumber/features/integrationTests/azure/github2ado/github2ado.feature
+++ b/src/test/resources/cucumber/features/integrationTests/azure/github2ado/github2ado.feature
@@ -3,13 +3,14 @@ Feature: CxFlow should read configuration from cx.config file in the root of rep
 
   
   @ProjectName
-  Scenario Outline: CxFlow will create tickets in the appropriate project in Azure 
+  Scenario Outline: CxFlow will mimic CX-SAST results and create tickets in the appropriate project in Azure 
     Given application.yml contains the Azure project "<inputProject>" and Asure namespace "<inputNamespace>"
+    And Scanner is Cx-SAST
     And commit or merge pull request is performed in github repo "<repo>" and branch "<branch>"
     And project "<outputProject>" exists in Azure under namespace "<outputNamespace>"
     And SAST scan produces high and medium results
     Then CxFlow will create appropriate tickets in project "<outputProject>" in namespace "<outputNamespace>" in Azure
-    And description field is populated
+
     
     Examples:
       | repo     | branch | inputProject | inputNamespace | outputProject | outputNamespace |
@@ -17,4 +18,21 @@ Feature: CxFlow should read configuration from cx.config file in the root of rep
       | testsAdo | master | CxTest2      |                | CxTest2       | cxflowtestuser  |
       | testsAdo | master | testsAdo     |                | testsAdo      | cxflowtestuser  |
 
+
+  @ProjectName
+  Scenario Outline: CxFlow will mimic AST results and create tickets in the appropriate project in Azure
+    Given application.yml contains the Azure project "<inputProject>" and Asure namespace "<inputNamespace>"
+    And Scanner is AST
+    And commit or merge pull request is performed in github repo "<repo>" and branch "<branch>"
+    And project "<outputProject>" exists in Azure under namespace "<outputNamespace>"
+    And SAST scan produces high and medium results
+    Then CxFlow will create appropriate tickets in project "<outputProject>" in namespace "<outputNamespace>" in Azure
+    And description field is populated
+
+    Examples:
+      | repo     | branch | inputProject | inputNamespace | outputProject | outputNamespace |
+      | testsAdo | master | CxTest1      | CxNamespace    | CxTest1       | CxNamespace     |
+      | testsAdo | master | CxTest2      |                | CxTest2       | cxflowtestuser  |
+      | testsAdo | master | testsAdo     |                | testsAdo      | cxflowtestuser  |
+
  
\ No newline at end of file

From 357345771885bf679ebe15fbe065f8433f7fc5dd Mon Sep 17 00:00:00 2001
From: orlyk <orly.kilidgan@checkmarx.com>
Date: Thu, 1 Oct 2020 12:47:06 +0300
Subject: [PATCH 2/7] Add test for state in ADO

---
 .../azure/publishing/github2ado/Github2AdoSteps.java            | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/test/java/com/checkmarx/flow/cucumber/integration/azure/publishing/github2ado/Github2AdoSteps.java b/src/test/java/com/checkmarx/flow/cucumber/integration/azure/publishing/github2ado/Github2AdoSteps.java
index 553593a24..82b9bc492 100644
--- a/src/test/java/com/checkmarx/flow/cucumber/integration/azure/publishing/github2ado/Github2AdoSteps.java
+++ b/src/test/java/com/checkmarx/flow/cucumber/integration/azure/publishing/github2ado/Github2AdoSteps.java
@@ -225,6 +225,8 @@ public void validateIssues(String project, String namespace){
     public void validateDescription() throws IOException {
         azureDevopsClient.getIssues().forEach(issue -> {
             Assert.assertTrue(issue.getBody().toLowerCase().contains(DESCRIPTION_AST));
+            Assert.assertTrue(issue.getBody().toLowerCase().contains(TO_VERIFY));
+
         });
     }
 

From fac6bcfdd4f11df10ea41ebcde2e45b16a49ce90 Mon Sep 17 00:00:00 2001
From: orlyk <orly.kilidgan@checkmarx.com>
Date: Thu, 1 Oct 2020 15:54:09 +0300
Subject: [PATCH 3/7] Add description check for ADO

---
 .../github2ado/Github2AdoSteps.java           | 55 ++++++++++++-------
 .../azure/github2ado/github2ado.feature       |  6 +-
 2 files changed, 38 insertions(+), 23 deletions(-)

diff --git a/src/test/java/com/checkmarx/flow/cucumber/integration/azure/publishing/github2ado/Github2AdoSteps.java b/src/test/java/com/checkmarx/flow/cucumber/integration/azure/publishing/github2ado/Github2AdoSteps.java
index 82b9bc492..18b29a234 100644
--- a/src/test/java/com/checkmarx/flow/cucumber/integration/azure/publishing/github2ado/Github2AdoSteps.java
+++ b/src/test/java/com/checkmarx/flow/cucumber/integration/azure/publishing/github2ado/Github2AdoSteps.java
@@ -17,11 +17,13 @@
 import com.checkmarx.sdk.config.CxProperties;
 import com.checkmarx.sdk.dto.ScanResults;
 import com.checkmarx.sdk.dto.ast.ASTResults;
+import com.cx.restclient.ast.dto.sast.report.AstSastSummaryResults;
 import com.cx.restclient.ast.dto.sast.report.Finding;
 import com.checkmarx.sdk.dto.cx.CxScanSummary;
 import com.checkmarx.sdk.exception.CheckmarxException;
 import com.checkmarx.sdk.service.CxClient;
 import com.cx.restclient.ast.dto.sast.AstSastResults;
+import com.cx.restclient.ast.dto.sast.report.FindingNode;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import io.cucumber.java.Before;
@@ -134,7 +136,7 @@ public void prepareServices() {
         
         issueService = new IssueService(flowProperties);
         issueService.setApplicationContext(applicationContext);
-        scanResultsToInject = createFakeResults();
+       
         initCxClientMock();
         initServices();
         initHelperServiceMock();
@@ -214,20 +216,18 @@ public void validateIssues(String project, String namespace){
             assertTrue(azureDevopsClient.projectExists());
             assertEquals(2, azureDevopsClient.getIssues().size());
             
-            azureDevopsClient.deleteProjectIssues();
-            
         } catch (IOException e) {
             fail(e.getMessage());
         }
     }
 
-    @And("description field is populated")
-    public void validateDescription() throws IOException {
+    @And("Additional fields are populated")
+    public void validateAdditionalFields() throws IOException {
         azureDevopsClient.getIssues().forEach(issue -> {
-            Assert.assertTrue(issue.getBody().toLowerCase().contains(DESCRIPTION_AST));
-            Assert.assertTrue(issue.getBody().toLowerCase().contains(TO_VERIFY));
-
+            Assert.assertTrue(issue.getBody().contains(DESCRIPTION_AST));
         });
+
+        azureDevopsClient.deleteProjectIssues();
     }
 
     @And("project {string} exists in Azure under namespace {string}")
@@ -334,12 +334,14 @@ private void initResultsServiceMock() {
     public void setScannerAST(){
         this.scannerType = AST;
         flowProperties.setEnabledVulnerabilityScanners(Arrays.asList(AST));
+        scanResultsToInject = createFakeResults();
     }
 
-    @And("Scanner is CX-SAST")
+    @And("Scanner is SAST")
     public void setScannerSAST(){
         this.scannerType = SAST;
         flowProperties.setEnabledVulnerabilityScanners(Arrays.asList(SAST));
+        scanResultsToInject = createFakeResults();
 
     }
     
@@ -352,7 +354,7 @@ private ScanResults createFakeResults() {
         details.put(Constants.SUMMARY_KEY, new HashMap<>());
 
         if(scannerType.equals(AST)){
-            createAftFindings(result);
+            createAstFindings(result);
         }
         result.setAdditionalDetails(details);
         
@@ -361,24 +363,37 @@ private ScanResults createFakeResults() {
         return result;
     }
 
-    private void createAftFindings(ScanResults result) {
+    private void createAstFindings(ScanResults result) {
         result.setAstResults(new ASTResults());
         result.getAstResults().setResults(new AstSastResults());
         result.getAstResults().getResults().setScanId("111");
         result.getAstResults().getResults().setWebReportLink(WEB_REPORT_LINK);
         LinkedList<Finding> findings = new LinkedList();
-        Finding f1 = new Finding();
-        f1.setDescription(DESCRIPTION_AST + " 1");
-        f1.setState(TO_VERIFY);
+        
+        findings.add(createAstFinding(1));
+        findings.add(createAstFinding(2));
+        
+        result.getAstResults().getResults().setFindings(findings);
 
-        Finding f2 = new Finding();
-        f2.setDescription(DESCRIPTION_AST + " 2");
-        f2.setState(TO_VERIFY);
+        result.setScanSummary(new CxScanSummary());
 
-        findings.add(f1);
-        findings.add(f2);
+        result.getAstResults().getResults().setSummary(new AstSastSummaryResults());
+    
+ 
+    }
 
-        result.getAstResults().getResults().setFindings(findings);
+    private Finding createAstFinding(int index) {
+        Finding f1 = new Finding();
+        f1.setDescription(DESCRIPTION_AST + index);
+        f1.setState(TO_VERIFY);
+        f1.setQueryName("Query Name " + index);
+        f1.setSeverity("HIGH");
+        f1.setCweID(index);
+        f1.setSimilarityID(index);
+        f1.setUniqueID(index);
+        f1.setNodes(Arrays.asList(new FindingNode()));
+        f1.getNodes().get(0).setFileName(index + "file.java");
+        return f1;
     }
 
 
diff --git a/src/test/resources/cucumber/features/integrationTests/azure/github2ado/github2ado.feature b/src/test/resources/cucumber/features/integrationTests/azure/github2ado/github2ado.feature
index d5859fcf8..6597753cc 100644
--- a/src/test/resources/cucumber/features/integrationTests/azure/github2ado/github2ado.feature
+++ b/src/test/resources/cucumber/features/integrationTests/azure/github2ado/github2ado.feature
@@ -2,10 +2,10 @@
 Feature: CxFlow should read configuration from cx.config file in the root of repository
 
   
-  @ProjectName
+  @ProjectName 
   Scenario Outline: CxFlow will mimic CX-SAST results and create tickets in the appropriate project in Azure 
     Given application.yml contains the Azure project "<inputProject>" and Asure namespace "<inputNamespace>"
-    And Scanner is Cx-SAST
+    And Scanner is SAST
     And commit or merge pull request is performed in github repo "<repo>" and branch "<branch>"
     And project "<outputProject>" exists in Azure under namespace "<outputNamespace>"
     And SAST scan produces high and medium results
@@ -27,7 +27,7 @@ Feature: CxFlow should read configuration from cx.config file in the root of rep
     And project "<outputProject>" exists in Azure under namespace "<outputNamespace>"
     And SAST scan produces high and medium results
     Then CxFlow will create appropriate tickets in project "<outputProject>" in namespace "<outputNamespace>" in Azure
-    And description field is populated
+    And Additional fields are populated
 
     Examples:
       | repo     | branch | inputProject | inputNamespace | outputProject | outputNamespace |

From 3a2db1d77956bea969bb8cdf17fafd224faf9598 Mon Sep 17 00:00:00 2001
From: orlyk <orly.kilidgan@checkmarx.com>
Date: Mon, 5 Oct 2020 13:12:29 +0300
Subject: [PATCH 4/7] Add weblink support

---
 build-11.gradle                               |  2 +-
 build.gradle                                  |  2 +-
 .../com/checkmarx/flow/utils/HTMLHelper.java  | 15 +++---
 .../checkmarx/flow/utils/MarkDownHelper.java  |  4 ++
 .../com/checkmarx/flow/utils/ScanUtils.java   | 17 +++++--
 .../ast/parse/GitHubCommentsASTSteps.java     | 47 ++++++++++++++-----
 src/test/resources/application.yml            |  1 +
 7 files changed, 62 insertions(+), 26 deletions(-)

diff --git a/build-11.gradle b/build-11.gradle
index e870407c2..a691073aa 100644
--- a/build-11.gradle
+++ b/build-11.gradle
@@ -2,7 +2,7 @@ import org.gradle.api.tasks.testing.Test
 
 buildscript {
 	ext {
-        CxSBSDK = "0.4.46"
+        CxSBSDK = "0.4.47"
         //cxVersion = "8.90.5"
         springBootVersion = '2.2.6.RELEASE'
         sonarqubeVersion = '2.8'
diff --git a/build.gradle b/build.gradle
index 7c83e14f3..3bb4cbca3 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,6 +1,6 @@
 buildscript {
     ext {
-        CxSBSDK = "0.4.46"
+        CxSBSDK = "0.4.47"
         //cxVersion = "8.90.5"
         springBootVersion = '2.2.6.RELEASE'
         sonarqubeVersion = '2.8'
diff --git a/src/main/java/com/checkmarx/flow/utils/HTMLHelper.java b/src/main/java/com/checkmarx/flow/utils/HTMLHelper.java
index 732163b7c..c00853ae5 100644
--- a/src/main/java/com/checkmarx/flow/utils/HTMLHelper.java
+++ b/src/main/java/com/checkmarx/flow/utils/HTMLHelper.java
@@ -46,7 +46,7 @@ public class HTMLHelper {
     public static final String ISSUE_BODY_TEXT = "%s issue exists @ %s in branch %s";
 
     private static final String DIV_A_HREF = "<div><a href='";
-    private static final String NO_POLICY_VIOLATION_MESSAGE = "No policy violation found";
+    public static final String NO_POLICY_VIOLATION_MESSAGE = "No policy violation found";
     private static final String NO_PACKAGE_VIOLATION_MESSAGE = "No package violation found";
 
     private HTMLHelper() {
@@ -93,7 +93,7 @@ public static String getHTMLBody(ScanResults.XIssue issue, ScanRequest request,
     }
 
     private static void addFlowSummarySection(ScanResults results, RepoProperties properties, StringBuilder body, ScanRequest request) {
-        if (properties.isFlowSummary() && results.getAstResults() == null) {
+        if (properties.isFlowSummary() ) {
             if (!ScanUtils.empty(properties.getFlowSummaryHeader())) {
                 appendAll(body, MarkDownHelper.getMdHeaderType(3, properties.getFlowSummaryHeader()), CRLF);
             }
@@ -103,18 +103,17 @@ private static void addFlowSummarySection(ScanResults results, RepoProperties pr
                 appendAll(body, MarkDownHelper.getMdHeaderType(4, NO_POLICY_VIOLATION_MESSAGE), CRLF);
             } else {
                 flowSummaryToMap.forEach((severityKey, value) ->
-                    appendAll(body,
-                            MarkDownHelper.getSeverityIconFromLinkByText(severityKey, request),
-                            MarkDownHelper.getNonBreakingSpace(request), MarkDownHelper.getBoldText(value.toString()),
-                            " ",
-                            MarkDownHelper.getBoldText(severityKey), MarkDownHelper.getLineBreak(request))
+                        appendAll(body,
+                                MarkDownHelper.getSeverityIconFromLinkByText(severityKey, request),
+                                MarkDownHelper.getNonBreakingSpace(request), MarkDownHelper.getBoldText(value.toString()),
+                                " ",
+                                MarkDownHelper.getBoldText(severityKey), MarkDownHelper.getLineBreak(request))
                 );
                 body.append(CRLF);
                 appendAll(body, MarkDownHelper.getTextLink(MarkDownHelper.MORE_DETAILS_LINK_HEADER, results.getLink()), CRLF);
             }
         }
     }
-
     private static void addScaBody(ScanResults results, StringBuilder body, ScanRequest request) {
         Optional.ofNullable(results.getScaResults()).ifPresent(r -> {
             log.debug("Building merge comment MD for SCA scanner");
diff --git a/src/main/java/com/checkmarx/flow/utils/MarkDownHelper.java b/src/main/java/com/checkmarx/flow/utils/MarkDownHelper.java
index 030d85fd6..a762bfa6e 100644
--- a/src/main/java/com/checkmarx/flow/utils/MarkDownHelper.java
+++ b/src/main/java/com/checkmarx/flow/utils/MarkDownHelper.java
@@ -147,12 +147,16 @@ static String getTextLink(String text, String link) {
     static String getSeverityIconFromLinkByText(String severity, ScanRequest request) {
         switch (severity) {
             case "High":
+            case "HIGH":
                 return getHighIconFromLink(request);
             case "Medium":
+            case "MEDIUM":
                 return getMediumIconFromLink(request);
             case "Low":
+            case "LOW":    
                 return getLowIconFromLink(request);
             case "Information":
+            case "INFO":
                 return getInfoIconFromLink(request);
             default:
                 throw new MachinaRuntimeException(severity + " is not a valid severity");
diff --git a/src/main/java/com/checkmarx/flow/utils/ScanUtils.java b/src/main/java/com/checkmarx/flow/utils/ScanUtils.java
index 67a78f29e..f1aefa462 100644
--- a/src/main/java/com/checkmarx/flow/utils/ScanUtils.java
+++ b/src/main/java/com/checkmarx/flow/utils/ScanUtils.java
@@ -4,11 +4,13 @@
 import com.checkmarx.flow.constants.SCATicketingConstants;
 import com.checkmarx.flow.dto.*;
 import com.checkmarx.flow.exception.MachinaRuntimeException;
+import com.checkmarx.sdk.config.Constants;
 import com.checkmarx.sdk.dto.Filter;
 import com.checkmarx.sdk.dto.ScanResults;
 import com.checkmarx.sdk.dto.ast.SCAResults;
 import com.cx.restclient.ast.dto.sast.report.FindingNode;
 import com.checkmarx.sdk.dto.cx.CxScanSummary;
+import com.cx.restclient.ast.dto.sast.report.StatusCounter;
 import com.cx.restclient.ast.dto.sca.report.Finding;
 import com.cx.restclient.ast.dto.sca.report.Package;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -90,6 +92,8 @@ public static List<ScanResults.XIssue> setASTXIssuesInScanResults(ScanResults re
         
         setAstScanSummary(results);
 
+        Map<String, Integer> severityCount = new HashMap<>();
+
         List<com.cx.restclient.ast.dto.sast.report.Finding> findings = results.getAstResults().getResults().getFindings();
         findings.forEach(finding -> {
             
@@ -115,19 +119,25 @@ public static List<ScanResults.XIssue> setASTXIssuesInScanResults(ScanResults re
             xIssueBuilder.additionalDetails(additionalDetails);
             
             ScanResults.XIssue issue = xIssueBuilder.build();
-            removeDuplicateIssues(issueList, issue, issue.getDetails());
+
+            removeDuplicateIssues(issueList, issue, issue.getDetails(), severityCount);
+            
         });
 
+        results.getAdditionalDetails().put(Constants.SUMMARY_KEY, severityCount);
         results.setXIssues(issueList);
-
+        
         return issueList;
     }
 
-    private static void removeDuplicateIssues(List<ScanResults.XIssue> issueList, ScanResults.XIssue issue, Map<Integer, ScanResults.IssueDetails> details) {
+    private static void removeDuplicateIssues(List<ScanResults.XIssue> issueList, ScanResults.XIssue issue, Map<Integer, ScanResults.IssueDetails> details, Map<String, Integer> severityMap) {
+        
         if (issueList.contains(issue)) {
             ScanResults.XIssue existingIssue = issueList.get(issueList.indexOf(issue));
             existingIssue.getDetails().putAll(details);
         } else {
+            Integer severityCount = Optional.ofNullable(severityMap.get(issue.getSeverity())).orElse(0) ;
+            severityMap.put(issue.getSeverity(), ++severityCount);
             issueList.add(issue);
         }
     }
@@ -140,6 +150,7 @@ private static void setAstScanSummary( ScanResults results) {
         scanSummary.setInfoSeverity(0);
         results.setLink(results.getAstResults().getResults().getWebReportLink());
         results.setScanSummary( scanSummary);
+        
     }
 
 
diff --git a/src/test/java/com/checkmarx/flow/cucumber/component/ast/parse/GitHubCommentsASTSteps.java b/src/test/java/com/checkmarx/flow/cucumber/component/ast/parse/GitHubCommentsASTSteps.java
index 4e169f297..be1dc5afc 100644
--- a/src/test/java/com/checkmarx/flow/cucumber/component/ast/parse/GitHubCommentsASTSteps.java
+++ b/src/test/java/com/checkmarx/flow/cucumber/component/ast/parse/GitHubCommentsASTSteps.java
@@ -42,6 +42,7 @@
 import com.cx.restclient.ast.dto.sast.report.Finding;
 
 
+import javax.validation.constraints.AssertTrue;
 import java.util.*;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutionException;
@@ -49,6 +50,7 @@
 import java.util.concurrent.TimeoutException;
 
 
+import static com.checkmarx.flow.utils.HTMLHelper.NO_POLICY_VIOLATION_MESSAGE;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyInt;
 import static org.mockito.Mockito.doAnswer;
@@ -67,6 +69,7 @@ public class GitHubCommentsASTSteps {
     private static final String AST_SCA = "AST,SCA";
     private static final String GIT_URL =  "https://github.com/cxflowtestuser/testsAST.git";
     private static final String REGEX = "### Checkmarx";
+    private static final String AST_WEB_REPORT_LINK = "https://astWebReportUrl";
 
     private final CxClient cxClientMock;
     private final FlowProperties flowProperties;
@@ -170,6 +173,7 @@ private ScanResults createFakeASTScanResults(int highCount, int mediumCount, int
         summary.setMediumVulnerabilityCount(mediumCount);
         summary.setLowVulnerabilityCount(lowCount);
 
+        astSastResults.setWebReportLink(AST_WEB_REPORT_LINK);
         astSastResults.setSummary(summary);
         Map<String, Object> details = new HashMap<>();
         details.put(Constants.SUMMARY_KEY, new HashMap<>());
@@ -256,11 +260,11 @@ private void initMock(CxClient cxClientMock) {
 
     private void initGitHubProperties() {
         this.gitHubProperties.setCxSummary(false);
-        this.gitHubProperties.setFlowSummary(false);
         this.gitHubProperties.setUrl(GIT_URL);
         this.gitHubProperties.setWebhookToken("1234");
         this.gitHubProperties.setApiUrl("https://api.github.com/repos");
         this.gitHubProperties.setBlockMerge(false);
+        this.gitHubProperties.setFlowSummary(true);
     }
 
 
@@ -396,30 +400,47 @@ public ScanResults answer(InvocationOnMock invocation) {
     @Then("we should see the expected number of results in comments")
     public void verifyComments(){
 
-        int highCounter = StringUtils.countMatches(comment, "HIGH");
-        int mediumCounter = StringUtils.countMatches(comment, "MEDIUM");
-        int lowCounter = StringUtils.countMatches(comment, "LOW");
+        int actaulHighCounter = StringUtils.countMatches(comment, "HIGH");
+        int actualMediumCounter = StringUtils.countMatches(comment, "MEDIUM");
+        int actaulLowCounter = StringUtils.countMatches(comment, "LOW");
 
         
         if (scannerType.equalsIgnoreCase(AST_SCA)) {
             Assert.assertTrue(PullRequestCommentsHelper.isSastAndScaComment(comment) );
-            
+
             Assert.assertEquals(scanResultsToInject.getAstResults().getResults().getSummary().getHighVulnerabilityCount()+
-                    scanResultsToInject.getScaResults().getSummary().getFindingCounts().get(Filter.Severity.HIGH), highCounter);
+                    scanResultsToInject.getScaResults().getSummary().getFindingCounts().get(Filter.Severity.HIGH), actaulHighCounter);
             Assert.assertEquals(scanResultsToInject.getAstResults().getResults().getSummary().getMediumVulnerabilityCount() +
-                    scanResultsToInject.getScaResults().getSummary().getFindingCounts().get(Filter.Severity.MEDIUM), mediumCounter);
-            Assert.assertEquals(scanResultsToInject.getAstResults().getResults().getSummary().getLowVulnerabilityCount()+
-                    scanResultsToInject.getScaResults().getSummary().getFindingCounts().get(Filter.Severity.LOW), lowCounter);
+                    scanResultsToInject.getScaResults().getSummary().getFindingCounts().get(Filter.Severity.MEDIUM), actualMediumCounter);
+            
+            // add 1 to the results 
+            Assert.assertEquals(scanResultsToInject.getAstResults().getResults().getSummary().getLowVulnerabilityCount()+ 1 +
+                    scanResultsToInject.getScaResults().getSummary().getFindingCounts().get(Filter.Severity.LOW), actaulLowCounter);
 
         }
         else if (scannerType.equalsIgnoreCase(AST)) {
+            
             Assert.assertTrue(PullRequestCommentsHelper.isSastFindingsComment(comment));
 
-            Assert.assertEquals(scanResultsToInject.getAstResults().getResults().getSummary().getHighVulnerabilityCount(), highCounter);
-            Assert.assertEquals(scanResultsToInject.getAstResults().getResults().getSummary().getMediumVulnerabilityCount(), mediumCounter);
-            Assert.assertEquals(scanResultsToInject.getAstResults().getResults().getSummary().getLowVulnerabilityCount(), lowCounter);
-
+            int expectedHigh = getExpectedResults(scanResultsToInject.getAstResults().getResults().getSummary().getHighVulnerabilityCount());
+            int expectedMedium = getExpectedResults(scanResultsToInject.getAstResults().getResults().getSummary().getMediumVulnerabilityCount());
+            int expectedLow = getExpectedResults(scanResultsToInject.getAstResults().getResults().getSummary().getLowVulnerabilityCount());
+            
+            Assert.assertEquals(expectedHigh  , actaulHighCounter);
+            Assert.assertEquals(expectedMedium  , actualMediumCounter);
+            Assert.assertEquals(expectedLow , actaulLowCounter);
+    
+            if(!comment.contains(NO_POLICY_VIOLATION_MESSAGE)) {
+                Assert.assertTrue(comment.contains(AST_WEB_REPORT_LINK));
+            }
         }
+
+        
+    }
+
+    private int getExpectedResults(int vulnerabilityCount) {
         
+        //adding 1 to the expected count since the severity string appears not only in the Summary section but also in in the Flow Summary Section
+        return vulnerabilityCount==0 ? 0 :  vulnerabilityCount + 1;
     }
 }
diff --git a/src/test/resources/application.yml b/src/test/resources/application.yml
index f734fd7bb..fc5c15313 100644
--- a/src/test/resources/application.yml
+++ b/src/test/resources/application.yml
@@ -90,6 +90,7 @@ sca:
 
 ast:
   apiUrl: http://xxxxx
+  webAppUrl: ${ast.apiUrl}
   clientId: xxxxx
   clientSecret: xxxxx
   preset: Checkmarx Default

From b6e673b7dc20524267043248c783924f81a41c99 Mon Sep 17 00:00:00 2001
From: orlyk <orly.kilidgan@checkmarx.com>
Date: Mon, 5 Oct 2020 15:53:15 +0300
Subject: [PATCH 5/7] fix conflict + fix compilation error

---
 .../java/com/checkmarx/flow/service/ConfigurationOverrider.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/com/checkmarx/flow/service/ConfigurationOverrider.java b/src/main/java/com/checkmarx/flow/service/ConfigurationOverrider.java
index ec614d735..5021270c8 100644
--- a/src/main/java/com/checkmarx/flow/service/ConfigurationOverrider.java
+++ b/src/main/java/com/checkmarx/flow/service/ConfigurationOverrider.java
@@ -220,7 +220,7 @@ private void overridePropertiesSca(Optional<Sca> sca, Map<String, String> overri
         });
 
         sca.map(Sca::getThresholdsSeverity).ifPresent(thresholdsSeverity -> {
-            scaConfig.setThresholdsSeverity(thresholdsSeverity);
+            scaConfig.initThresholdsSeverity(thresholdsSeverity);
             overrideReport.put("thresholdsSeverity", convertMapToString(thresholdsSeverity));
         });
 

From 9ac1d722785989a300f9b8d48983c793175eea98 Mon Sep 17 00:00:00 2001
From: orlyk <orly.kilidgan@checkmarx.com>
Date: Tue, 6 Oct 2020 09:42:40 +0300
Subject: [PATCH 6/7] fix constants in which

---
 .../checkmarx/flow/utils/MarkDownHelper.java  | 21 ++++++++++++-------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/src/main/java/com/checkmarx/flow/utils/MarkDownHelper.java b/src/main/java/com/checkmarx/flow/utils/MarkDownHelper.java
index a762bfa6e..a11163071 100644
--- a/src/main/java/com/checkmarx/flow/utils/MarkDownHelper.java
+++ b/src/main/java/com/checkmarx/flow/utils/MarkDownHelper.java
@@ -42,6 +42,11 @@ public class MarkDownHelper {
     public static final String SAST_HEADER = CHECKMARX_PREFIX + SAST_SCANNER + " - " + SCAN_SUMMARY_DETAILS;
     public static final String SCA_HEADER = CHECKMARX_PREFIX + SCA_SCANNER + " - " + SCAN_SUMMARY_DETAILS;
     private static final String AST_SAST_HEADER = CHECKMARX_PREFIX + AST_SAST_SCANNER + " - " + SCAN_SUMMARY_DETAILS;
+    private static final String HIGH = "HIGH";
+    private static final String MEDIUM = "MEDIUM";
+    private static final String LOW = "LOW";
+    private static final String INFORMATION = "INFORMATION";
+    private static final String INFO = "INFO";
 
 
     private MarkDownHelper() {
@@ -145,18 +150,18 @@ static String getTextLink(String text, String link) {
     }
 
     static String getSeverityIconFromLinkByText(String severity, ScanRequest request) {
+
+        severity = severity.toUpperCase();
+        
         switch (severity) {
-            case "High":
-            case "HIGH":
+            case HIGH:
                 return getHighIconFromLink(request);
-            case "Medium":
-            case "MEDIUM":
+            case MEDIUM:
                 return getMediumIconFromLink(request);
-            case "Low":
-            case "LOW":    
+            case LOW:    
                 return getLowIconFromLink(request);
-            case "Information":
-            case "INFO":
+            case INFORMATION:
+            case INFO:
                 return getInfoIconFromLink(request);
             default:
                 throw new MachinaRuntimeException(severity + " is not a valid severity");

From 04ab669be8801f7d4157fb43b1cf88f022c9eefd Mon Sep 17 00:00:00 2001
From: orlyk <orly.kilidgan@checkmarx.com>
Date: Tue, 6 Oct 2020 10:03:07 +0300
Subject: [PATCH 7/7] fix cxgo build

---
 build-cxgo.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build-cxgo.gradle b/build-cxgo.gradle
index 8a4e2ea0b..f36c82aac 100644
--- a/build-cxgo.gradle
+++ b/build-cxgo.gradle
@@ -1,6 +1,6 @@
 buildscript {
     ext {
-        CxSBSDK = "0.1.38"
+        CxSBSDK = "0.1.39"
         //cxVersion = "8.90.5"
         springBootVersion = '2.2.6.RELEASE'
         sonarqubeVersion = '2.8'