DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the terminal disclaimer filed on 02/08/2021 and the pre-brief conference request filed on 01/28/2021.
Claims 1-20 are currently pending in this application.
No new IDS has been filed.

Response to Arguments
The previous 112(a) rejection to the claims 1-20 have been withdrawn in response to the applicants’ amendments/remarks.
The previous 112(b) rejection to the claims 1-20 have been withdrawn in response to the applicants’ amendments/remarks.
The previous double patenting rejections have been withdrawn in response to the applicants’ filing of a terminal disclaimer, which is approved on 02/08/2021.
The previous 103 rejections to the claims 1-20 have been withdrawn in response to the applicants’ amendments/remarks.

Allowable Subject Matter
Claims 1-20 are allowed.

Examiner’s Statement for Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
Regarding independent claims 1, 8 and 15,
Williams et al. (US 2011/0231936 A1) teaches a system, method and computer program product for detecting a presence of at least one vulnerability in an application. Software application can include a number of software components including application code 307 (equivalent to the representation of an application source code). These components can also include methods or subroutines 313, which usually includes a sequence of programming statements to perform an action, a set of input parameters to customize those actions and possibly a return value. To detect the vulnerabilities in the application, the vulnerability system inserts sensors into the methods of the application. The inserted sensors monitor data associated with method of the application during its execution and enable vulnerability detection system to pinpoint vulnerabilities within the code of the application. The instrumentation agent processes security rules (equivalent to the security vulnerability rule record), which specify the method requiring instrumentation and direct the instrumentation agent to install sensors into the specified methods of the application. The security rule includes a recommendation field that store a recommendation to the user for remedying the detected vulnerability - see figs. 1, 3, 7, 15; abstract, paras. [0038], [0039], [0041] and [0050] of Williams.

Lietz et al. (US 2015/0106939 A1) teaches a method and system for dynamic and comprehensive vulnerability management by obtaining vulnerability management data representing one or more potentially dynamic vulnerability management policies and vulnerability characteristics of assets (equivalent to the representation of the source code) to be monitored. Scanner tests for discovering associated vulnerabilities in an asset is generated or obtained from various sources. Remedy data includes remedies or remedy procedures to be implemented on an asset being vulnerability managed once the vulnerability for vulnerability characteristic associated with the remedy procedure (equivalent to the security patch) is identified by the scanner and scanner tests. When actual remedies are available, these remedies are automatically applied to the asset being vulnerability managed once the associated vulnerability. Examples of remedies that are used as part of the self-healing asset system include automatic application of a software patch, automatic detection of an asset component, etc.  – see fig. 2B; paras. [0008], [0043], [0047] and [0048] of Lietz.

Siman (US 2013/0167241 A1) teaches a tool for automatically analyze application source code for application level vulnerabilities. The tool integrates seamlessly into the software development process. The system receives application source code, which is intended to be transformed into executable code. The transformation is accomplished by compilation to generate object code, and linking of the object code with library code. However, the principles of the invention are equally applicable to software development systems in which intermediate representations are employed. Decompiled source code is processed in the parser, where it is decomposed into individual tokens. The tokens are then passed into layer and arranged according to the grammar of the particular language, into an abstract syntax tree – see abstract; figs. 1, 3, 13; paras. [0010], [0049] and [0067] of Siman.

However, the prior art of record does not teach or render obvious the limitations, specific and combination with other limitations:
for the claims 1, 8 and 15 in a method, storage medium or server of-
receiving, at a server, results of a scan of application source code, wherein the scan of the application source code did not execute the application source code;
determining, from the results of the scan of the application source code, without executing the application source code, one or more vulnerabilities in the application source code;
in response to determining one or more vulnerabilities in the application source, determining a local rules repository exists; and in response to the local rules repository existing, accessing the local rules repository storing one or more security fix rules;
generating one or more security patch rules based at least in part on the one or more vulnerabilities and based at least in part on the one or more security fix rules stored at the local rules repository;
verifying the one or more security patch rules; and selecting the verified security patch rule of the one or more security patch rules to generate a security patch to remediate the one or more vulnerabilities; and
applying the security patch to the application source code.

Dependent claims 2-7, 9-14 and 16-20 are allowed as they depend from allowable independent claim 1, 8 and 15.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAUNG T LWIN whose telephone number is (571)270-7845.  The examiner can normally be reached on Monday - Friday 10:00 am - 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for 






/MAUNG T LWIN/Primary Examiner, Art Unit 2495