DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Remarks
In a response filed on January 8, 2021, Applicant: (1) cancels claims 4 and 13-20; and (2) amends claims 1 and 5.
Claims 1-3 and 5-12 are presented for examination.
Allowable Subject Matter
Claims 1-3 and 5-12 are allowed.
Reasons for Allowance
According to 37 CFR 1.104(e), if the examiner believes that the record of the prosecution as a whole does not make clear his or her reasons for allowing a claim or claims, the examiner may set forth such reasoning. Accordingly, Examiner concludes that, for clarity, the record requires that Examiner set forth reasons for the allowance of claims 1-25. The applicant or patent owner may file a statement commenting on the following reasons for allowance within THREE MONTHS FROM THE “MAILING DATE” of this communication.
The following is an examiner’s statement of reasons for allowance.
For example, the cited prior art of record comprises inter alia the following
references:
US 2015/0309813 A1		“Patel et al.”
US 2014/0007041 A1		“Schmeling et al.”

					“Dotta”

Regarding claim 1, Patel teaches a method for generating a vulnerability report of a project (¶ 93 “A system…used for analyzing applications… the system comprising”; ¶ 257 “creating report…based on the analysis”), comprising:
when the interior knowledge of the Java project isn't available, performing a black box analysis to generate the vulnerability (¶ 14 “In a black box approach, analysis of application/project is performed without having any knowledge of internals/interior of the application/project…tools for finding security vulnerabilities”; ¶ 22 “programming languages such as JavaScript”; ¶ 257 “creating report…based on the analysis”); and
when the source code of the Java project is accessible, performing a white box analysis to generate the vulnerability report (¶ 30 “In a white box approach, analysis of application is performed by having full knowledge of internals/interior of the application…tools for finding security vulnerabilities”; ¶ 297, 39 “projects/applications written in languages such as Java”; ¶ 257 “creating report…based on the analysis”), and
performing a gray box analysis to generate the vulnerability report (¶ 55 “a hybrid approach…called gray/grey box”; ¶ 257 “creating report…based on the analysis”),

analyzing the source code to obtain information of entry points (¶ 30 “static analyzers can choose to perform analysis on application source code”; ¶ 36 “The first step is lexical analysis… The next step is semantic analysis…to perform semantic analysis all of the interdependent sources/entry points would have to be loaded/obtained”; ¶ 43, 46 “For example, for a taint analysis, static analyzers may have list of entry points/sources and sinks”);
scanning configuration files of the Java project (¶ 333, 156, 154 “analyzing configuration files”; ¶ 382, 334 “For instance…for Java Platform”); and
executing exploit payloads against the entry points to generate the vulnerability report (¶ 19 “specially generated/crafted payloads for every input/entry point…is executed /sent and the responses are analyzed and checked for behavior indicative of vulnerabilities or suspected vulnerabilities”; ¶ 257 “creating report…based on the analysis”).
However, Patel does not explicitly disclose: generating a deserialization vulnerability report of a Java project; determining, by a computing device, if interior knowledge of the Java project is available, and when the interior knowledge of the Java project is available, determining by the computing device if source code of the Java ; and wherein the step of scanning the configuration files of the Java project to generate the exploit payloads comprises: resolving the configuration files to obtain library files that the java program depends on; scanning the library files and the source code to obtain gadgets that match with one from a gadget pattern database; and generating the exploit payloads using the obtained gadgets.
In an analogous art, Schmeling teaches:
determining, by a computing device, if interior knowledge of the Java project is available (¶ 40, 42 “receive user input for defining [] models/analysis”; ¶ 44 “accepting user input to generate…model/analysis”; ¶ 86, 57, 48 “provider is knowledgeable about the underlying application/project…and can use this knowledge…editor 118 provides a GUI for receiving user input to define…model/analysis”; ¶ 52 “code is directed to…e.g., Java”; note: a black box model/analysis must be performed [see ¶ 66] unless Schmeling determines that “interior knowledge/internal aspects of the application/project are [] available” [see ¶ 67] and, although Schmeling does not explicitly disclose that its model/ analysis may be determined by a computer, such automation is prima facie obvious [see MPEP § 2144.04(III)]), and
when the interior knowledge of the Java project is available, determining by the computing device if source code of the Java project is accessible (¶ 40, 42 “receive user input for defining [] models/analysis”; ¶ 44 “accepting user input to generate…model/analysis”; ¶ 48 “provider is knowledgeable about the underlying prima facie obvious [see MPEP § 2144.04(III)]),
when the source code of the Java project isn't accessible, performing a gray box analysis (¶ 40, 42 “receive user input for defining [] models/analysis”; ¶ 44 “accepting user input to generate…model/ analysis”; ¶ 86, 57, 48 “provider is knowledgeable about the underlying application/project…and can use this knowledge…editor 118 provides a GUI for receiving user input to define…model/analysis”; ¶ 52 “code is directed to…e.g., Java”; note: a grey box model/analysis must be performed when some “interior knowledge/internal aspects of the application/project are made available” [see ¶ 67] unless Schmeling determines that “complete application details are available, e.g., source code” [see ¶ 40, 69]).
However, Patel in view of Schmeling does not explicitly disclose: generating a deserialization vulnerability report of a Java project; scanning configuration files of the Java project to generate exploit payloads; and wherein the step of scanning the configuration files of the Java project to generate the exploit payloads comprises: resolving the configuration files to obtain library files that the java program depends on; scanning the library files and the source code to obtain gadgets that match with one from a gadget pattern database; and generating the exploit payloads using the obtained gadgets.
In an analogous art, Dotta teaches:
generating a deserialization vulnerability report of a Java project (p. 3, ¶ 8 of § Detection “detected issues are automatically added to the global issues”; note: the “issues” that Dotta “detects” are “deserialization vulnerability issues” [see p. 2, ¶ 1 of § Detection], which Dotta “reports” by adding “to the global issues of [a] host” [see p.3, ¶ 8 of § Detection]); and
scanning configuration files of the Java project to generate exploit payloads (p. 2, ¶ 8 of § Detection “plugin tests all the supported vulnerable libraries/configuration files”; p.3, ¶ 1 of § Exploitation “generate exploitation vectors/payloads…ysoserial takes as argument a vulnerable library/configuration files and a command and generates a serialized object/exploitation payload”; note: it is implicit that a “scan,” of some sort, must be performed in order to determine which vulnerable libraries/configuration files are actually “supported” by Dotta’s “target application” [see p. 2, ¶¶ 1 & 8 of § Detection; p.3, ¶ 1 of § Exploitation]).
However, the prior art of record, alone or in combination, does not explicitly disclose: wherein the step of scanning the configuration files of the Java project to generate the exploit payloads comprises: resolving the configuration files to obtain library files that the java program depends on; scanning the library files and the source code to obtain gadgets that match with one from a gadget pattern database; and generating the exploit payloads using the obtained gadgets.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kalish Bell whose telephone number is (571) 272-5294.  The examiner can normally be reached on 9am-5pm, M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool.  To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  






/KALISH K BELL/Examiner, Art Unit 2432


/CHRISTOPHER C HARRIS/Primary Examiner, Art Unit 2432