Detailed Action
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Applicant filed terminal disclaimer, however it was not approved due to not signed by the applicant. Applicant is advised to resubmit properly.
Applicant filed argument without amending the claims, claims 1-18 are pending.

Priority
This application is a continuation of U.S. Application Serial No. 15/209,580, filed July 13, 2016. 

Response to Arguments

Applicant's arguments filed 01/08/2021 have been fully considered but they are not persuasive. On page the applicant argued that Johansson does not teach or suggest "determining that a third party software component of the software components is approved for use in the software application based on the software component characteristic information," as recited by the claim. Examiner respectfully disagrees. Johansson [0043], FIG 3 clearly suggest software characteristic such  as certain version of a software could be disallowed because of high risk. [0028] also suggest application could be downloaded from net and it could be unknown application suggest that software could be from third party ([0028] The application information service 124 may also aggregate information indicating the number of installations of this application 172 across 

On page 5 the applicant further argued that In paragraph [0021], Johansson does disclose initiating an upgrade of a software application, but this is not the same as an upgrade over at least another software component, as per the claim. As explained above, paragraph [0021] of Johansson discloses that the automated action system 127 is executed to perform one or more actions in response to the risk profile of an application installation, such actions may include initiating an upgrade of a software application on a user computing device 106. Thus, paragraph [0021] of Johansson does not teach or suggest "'upgrade over at least another software component of the software component' by initiating an upgrade of a software application on a user computing device." Examiner respectfully disagrees. Although [0021] discloses, updating software however para [0054] discloses patch to upgrade/update software suggest certain portion of software is updating or upgrading.   Lau (fig 3 and associated text; col 8 line 20-45;) also teaches identifies parts of software risk, affects or impacts of the upgrade, to find potential trouble spots, to define risks, to create recommended corrective actions, and to determine levels of effort to implement corrective actions.  

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).

A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 

The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in 
Instant application 16/772,661
US 10528741 B1
1. A method for automatically assessing operational risks and mitigating operational risks associated with using a software component in a software application, comprising: 
accessing software components comprising the software application;
 responsive to accessing the software components, receiving software component characteristic information about each software component of the software components, including information about a characteristic of the software component that is related to an operational risk associated with using the software component in the software application; 





determining that a third party software component of the software components is approved for use in the software application based on the software component characteristic information; 
generating operational risk assessment information using one or more rules and based on the software component characteristic information; outputting the operational risk assessment information requiring that the third party software component be upgraded; and 
generating operational risk mitigation information based on the operational risk assessment information, and including information that prioritizes the third party software component for upgrade over at least another software component of the software components, wherein at least one step of the method is performed by a processor.

accessing software components comprising the software application; 
responsive to accessing the software components, receiving software component characteristic information about each software component of the software components, including information about a characteristic of the software component that is related to an operational risk associated with using the software component in the software application, wherein the software component characteristic information comprises software currency information, software consistency information, software security information, software license type information and software version information; 
determining that a third party software component of the software components is approved for use in the software application based on the software component characteristic information; 
generating operational risk assessment information using one or more rules and based on the software component characteristic information; outputting the operational risk assessment information requiring that the third party software component be upgraded; and 
generating operational risk mitigation information based on the operational risk assessment information, and including information that prioritizes the third party software component for upgrade over at least another software component of the software components, wherein at least one step of the method is performed by a processor.
wherein the software component characteristic information comprises software currency information, software consistency information, or software security information.



Claim 1-18 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-12 of U.S. Patent No. US 10528741 B1. Although the claims at issue are not identical, they are not patentably distinct from each other because of similar limitations with obvious variations.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all  obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 7 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Johansson et al. (US 2015/0143528 A1, hereinafter Johansson: IDS supplied) in view of Lau et al.(US  7,191,435 B2, hereinafter Lau: IDS supplied).

With regards to claim 1, Johansson discloses, A method for automatically assessing operational risks and mitigating operational risks associated with using a software component in a software application (Johansson, abstract, disclosed are various embodiments for assessing risk associated with a software application on a user computing device in an enterprise networked environment. Para [0013], automate risk assessment and compliance reporting by creating a risk profile for each computing device on which a given software application is installed. This may be especially useful for enterprise networks where some or all users have access to install applications on their respective computing devices. Information for this risk assessment may be aggregated , comprising:
accessing software components comprising the software application (Johansson, para [0017], the components executed on the computing environment 103, for example, include a risk profile engine 115, a device information service 118, a user information service 121, an application information service 124, an automated action system 127, a manual review system 130, and other applications, services, processes, systems, engines, or functionality not discussed in detail herein.  Para [0029]. each user computing device 106 may be configured to execute various applications 172, which may correspond to user-installed software applications. Para [0031], the application information service 124 gathers (i.e. access) various information and evaluates various application characteristics 142 of the applications 172(i.e. software components) which are installed on the user computing devices 106. See fig-3, para [0024], the application information service 124 is executed to obtain information about characteristics of the software applications which are installed in the user computing devices 106);
responsive to accessing the software components, receiving software component characteristic information about each software component of the software components (Johansson , para [0031], the application information service 124 gathers various information and evaluates various application characteristics 142 of the applications 172(i.e. software components) which are installed on the user computing devices 106. see fig-3, para [0024], The application information service 124 is executed to obtain information about characteristics of the software applications which are installed in the user computing devices 106 of the networked environment 100. Such including information about a characteristic of the software component that is related to an operational risk associated with using the software component in the software application(Para [0020], The characteristics of the application may be employed by the risk profile engine 115 to generate a software application risk rating, or core rating, for the Software application. Para [0035], Beginning with box 203, the risk profile engine 115 obtains state information indicating installations of Software applications 172 (FIG. 1) in the networked environment 100 (FIG. 1) of user computing devices 106 (FIG. 1). The state information may correspond to the application information 139 (FIG. 1), the local security application classification data US 2015/O 143528 A1 145 (FIG. 1), version data 151 (FIG. 1), and/or other data. In box. 206, the risk profile engine 115 obtains the application characteristics 142 (FIG. 1) for the applications 172 from the 

determining that a third party software component  of the software components is approved for use in the software application based on the software component characteristic information (Johansson, see fig-3, para [0043]. In box 319, the application information service 124 determines whether the version of the application 172 is disallowed. For example, the rating rules 154 (FIG. 1) may indicate that a particular version or versions of an application 172 (or all versions of the application 172) are disallowed on the user computing devices 106, leading to a relatively high risk profile 163 and/or automatic remedial action.)
generating operational risk assessment information using one or more rules and based on software component  characteristic information (Johansson, para [0031-0032], The application information service 124 gathers various information and evaluates various application characteristics 142 of the applications 172 which are installed on the user computing devices 106 and the risk profile engine 115 generates an application rating 157 for each of the applications 172 according to the rating rules 154. The risk profile engine 115 then generates a risk profile 163 for each installation of each of the applications 172. Each risk profile 163 is generated using the risk profile rules 160 based at least in part on various factors including the application ratings 157, the device information 136 regarding the user computing device 106 on which the application 172 is installed, the user information 133 regarding the end users of the user computing device 106 on which the application 172 is installed, and/or other factors. The risk profile engine 
outputting the operational risk assessment information requiring that the third party software component be upgraded(Johansson, para 0021. The automated action system 127 is executed to perform one or more actions in response to the risk profile of an application installation meeting one or more criteria. Such actions may include, but are not limited to, disabling or limiting logins to a user computing device 106, disabling or limiting login capability for a specific user or group of users, disabling or limiting the account of a user, Suggesting employee termination of a user, disabling or limiting connectivity to the network 109 for a user computing device 106, initiating an uninstallation or removal of a Software application from a user computing device 106, initiating an upgrade of a Software application on a user computing device 106. displaying information to the end user informing them that a Software application is out of date or otherwise out of compliance, displaying a dialog to the user requesting information regarding an unknown Software application, and/or other actions.),and 
generating operational risk mitigation information based on the operational risk assessment information that prioritizes the third party software component for upgrade over at least another software component of the software components (Johansson, para [0021],The automated action system 127 is executed to perform one or more actions in response to the risk profile of an application installation meeting one or more criteria. Such actions may include, but are not limited to, disabling or limiting logins to a user computing device 106, disabling or limiting login capability for a specific user or group of users, disabling or limiting the account of a user, Suggesting employee 
wherein at least one step of the method is performed by a processor (Johansson, fig-7,8,para [0062], a number of software components are stored in the memory 706, 806 and are executable by the processor 703,).
However, Johansson does not expressly teach third party software component which Lau from the same or similar field of endeavor teaches: 
the third party software component for upgrade over at least another software component of the software components(Lau, abstract, a method for analyzing impact on binaries, software, and hardware of a planned software upgrade for a computer system which includes performing a configuration inventory for the computer system with profiles for the computer system of hardware, software including operating system software, middleware, applications, development tools, and third party software, application interfaces, and binaries. A set of upgrade rules, e.g., rules defining hardware and software requirements including interfaces, libraries, dependencies, and more, are accessed and the binary profiles are analyzed based on the upgrade rules to determine safe binaries and at-risk binaries. The at-risk binaries are further divided into subcategories based on risks of incompatibility with the planned software upgrade. The 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Lau’s Method and system for optimizing software upgrades into Johansson’s Risk Assessment for Software Applications.
One would be motivated to do so to provide risk assessment and mitigation report of a third party software to be compatible with the native software applications (Lau, Abstract).

Claim 7 is the product claim corresponding to method claim 1, also rejected accordingly.

Claim 13 is the system claim corresponding to method claim 1, also rejected accordingly.


Claims 2-3, 8-9, 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Johansson et al. (US 2015/0143528 A1, hereinafter Johansson) in view of Lau et al.(US  7,191,435 B2, hereinafter Lau) and further in view of Cheng et al. (US 20100095277 A1, hereinafter Cheng :IDS supplied).

With regards to claim 2, 8, 14 the combination of Johansson and Lau teaches all the claimed limitations of claim 1. However, the combination does not expressly teach the further comprising: accessing third party software policy definition information (Cheng, para [0054], policy controller is invoked and fetches policies to be used in a project which are some software package information like competitor's libraries, open source code having GPL (General Public License) or LGPL (Lesser General Public License) information. Here third party software policy definition information is mapped to policy information related to libraries, open source code, GPL, LGPL),the third party software policy definition information comprising information defining one or more policies for operating (Cheng, para [0054], policy controller is invoked and fetches policies to be used in a project which are some software package information like competitor's libraries, open source code having GPL (General Public License) or LGPL (Lesser General Public License) information.) accessing approved software component information, the approved software component information being information identifying third party software components that are approved for use in the software application (FIG 4 4070 and associated text;)
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date to combine the teaching of Cheng’s method for source-related risk detection and alert generation and Johansson’s Risk Assessment for Software Applications as modified by Lau’s Method and system for optimizing software upgrades, with a motivation to provide information related to software policy, copyright term related with the source software application (Cheng, para [0056]).

 the combination of Johansson, Lau and Cheng teaches all the claimed limitations of claim 3. In addition Johansson teaches further comprising determining the one or more rules at least in part responsive to accessing [[the third party software policy definition information]] and the approved software component information and 21VCE15-0056 / V69138 1400US 1generating the risk assessment information using one or more of the determined rules (Johansson, para [0031-0032], The application information service 124 gathers various information and evaluates various application characteristics 142 of the applications 172 which are installed on the user computing devices 106 and the risk profile engine 115 generates an application rating 157 for each of the applications 172 according to the rating rules 154. The risk profile engine 115 then generates a risk profile 163 for each installation of each of the applications 172. Each risk profile 163 is generated using the risk profile rules 160 based at least in part on various factors including the application ratings 157, the device information 136 regarding the user computing device 106 on which the application 172 is installed, the user information 133 regarding the end users of the user computing device 106 on which the application 172 is installed, and/or other factors. The risk profile engine 115 may generate various reports in the report data 169 for manual review by the system administrators.);  the third party software policy definition information (Cheng, para [0054], policy controller is invoked and fetches policies to be used in a project which are some software package information like competitor's libraries, open source code having GPL (General Public License) or LGPL (Lesser General Public License) information. Here third party software policy definition information is mapped to policy information related to libraries, open source code, GPL,LGPL);

Claims 4-5, 10-11 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Johansson et al. (US 2015/0143528 A1, hereinafter Johansson) in view of Lau et al.(US  7,191,435 B2, hereinafter Lau) and further in view of Bettini et al. (US 20140331281 A1, hereinafter Bettini :IDS supplied).

With regards to claim 4-5, 10-11, 16-17 the combination of Johansson and Lau teaches all the claimed limitations of claims 1. The combination does not expressly teach all the software component characteristics information comprises software currency information, software consistency information, software security information, software license type information and software version information. 						
However, Bettini from the same or similar field or endeavor teaches wherein the software component characteristic information comprises software currency information, software consistency information, or software security information; wherein the software component characteristic information comprises software license type information or software version information. (Bettini, Para [0056], metadata associated with the app is extracted which associated with the app, can include information that is important for assessing the overall risk(s) associated with the app. Metadata associated with the app that can be analyzed includes app permissions, intents, services, and receivers. In particular, this phase can include mapping out app permissions, file and version name, app author, app ID, package name, and/or various other attributes and/or metadata associated with the app….metadata associated with finding the app on the public and/or private app markets includes artist and publisher price for purchasing the app, release date of the app (e.g., app version), software version external identifiers, and vendor ID. Here software characteristic information is mapped with combination of publisher information, item IDs, genre IDs or categories, price for purchasing the app, release date of the app (e.g., app version), software version external identifiers, and vendor ID).	
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date to implement the teaching of Bettini’s In-line filtering of insecure or unwanted mobile device software components or communications into Johansson’s risk assessment for software applications as modified by Lau’s method and system for optimizing software upgrades with a motivation to provide an enhanced risk assessment and control system in view of different forms of software characteristic information. (Bettini, Para [0059]).

Claims 6, 12 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Johansson et al. (US 2015/0143528 A1, hereinafter Johansson) in view of Lau et al.(US  7,191,435 B2, hereinafter Lau) and further in view of Osborn (US 20150332184 A1, hereinafter Osborn :IDS supplied).

With regards to 5, 11, 17 the combination of Johansson and Lau teaches all the claimed limitations of claim 1. However, the combination does not expressly teach the following limitation that Osborn teaches: wherein the operational risk assessment information includes information indicating when an operational risk will increase or decrease (Osborn, para [0081], in FIG. 10A, applications plotted into sectors having a combination . 
Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987.  The examiner can normally be reached on 8.30 to 430 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 1-571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/MOHAMMED WALIULLAH/Primary Examiner, Art Unit 2498