Notice of Pre-AIA  or AIA  Status
1.	The present application is being examined under the pre-AIA  first to invent provisions. 
Response to Amendment
2.	This office action has been issued in response to amendment filed on 02/11/2021.  Claims 21, claim 31 and claim 41 have been amended.  Claims 21-50 are pending, of which claim 21, claim 31 and claim 41 are in independent form.  Accordingly, this action has been made FINAL.
Response to Argument
3.	a.	The Office will maintain the double rejection between the instant application and the patent 10,379,993, and between the instant application ant the patent 9,569,334.
	b.	Claim 21, 31 and 41 have been amended to overcome the 101 abstract idea.  Therefore, the 101 rejection, abstract idea, has been withdrawn for claims 21, 31 and 41.
c.	Applicant's arguments with respect to claims 21-23, 31-33 and 41-43 have been considered but are moot in view of the new ground(s) of rejection.  Claims 24-30, 34-40 and 44-50 are objected.

Status of Claims
4.	 Claims 21-50 are pending, of which claim 21, claim 31 and claim 41 are in independent form.
Remarks


Allowable Subject Matter
6.	Claims 24-30, 34-40 and 44-50 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

7.	Claims 21-23, 31-33 and 41-43 rejected under 35 U.S.C. 103(a) as being unpatentable over Chess, US 20070240138, (hereinafter Chess), and further in view of Pistoia, US 20120192161, (hereinafter Pistoia – IDS or records), 

Claim 21 is rejected, chess teaches a method comprising: 
obtaining, by a processor, source code(Chess, US 20070240138, paragraph [0024], The security development module 114 includes executable instructions to facilitate a static analysis of software in order to identify security vulnerabilities inherent to the structure of the software. The software includes program instructions. As discussed below, the invention is operative with diverse program instruction formats. For example, the program instruction formats may be different source or executable code formats, different machine instruction formats, and/or different program configuration file formats. The program instructions form various software applications.  Fig. 2 and paragraph [0029], source code.  Fig. 1, component 102 – CPU and paragraph [0022].); 
generating a representation of the source code(Chess, fig. 2 and paragraph [0029], FIG. 2 illustrates the primary processing operations associated with the other executable modules of the security development module 114. The first processing operation shown in FIG. 2 is to convert source or executable code into a common format 200. This operation may be implemented with the common format generator 122. The common format generator 122 converts all of the source or executable code files for all of the tiers of an application to be analyzed into a common format. The example common format disclosed herein is called the Normalized Syntax Tree (NST) format.  Paragraph [0030], An application system model is then derived from the common format 202. The common format generator 122 may perform this operation as well. In particular, the executable code is used to create a uniform model of the application from the NST files.); 
traversing the representation of the source code to identify one or more potential vulnerabilities(Chess, paragraph [0024-0026], The security development module 114 includes executable instructions to facilitate a static analysis of software in order to identify security vulnerabilities inherent to the structure of the software. The software includes program instructions. As discussed below, the invention is operative with diverse program instruction formats. For example, the program instruction formats may be different source or executable code formats, different machine instruction formats, and/or different program configuration file formats.  Chess, fig. 2 and paragraph [0029-0031], A data flow analysis is then performed on the system model to identify security vulnerabilities 204. The analysis engine 124 may be used to implement this operation. The analysis engine 124 identifies possible execution paths through the program where user input can reach a dangerous function or construct. The analysis engine 124 invokes security development rules 123. Typically, the security development module 114 is deployed with a set of security development rules 123. These rules may be updated on a subscription basis from a remote computer connected to network 110. In addition to these supplied rules, a user may tailor specific security development rules for a particular application. The analysis engine 124 is a separate computational kernel and therefore it can be used with a diverse set of standard and customized security development rules 123.  Paragraph [0033-0034], The security development module 114 performs a form of semantic analysis across multiple tiers and languages to find security vulnerabilities, such as stack buffers, tainted variables. SQL injection and custom-defined security flaws. The tiers range from the operating Chess, paragraph [0031], A data flow analysis is then performed on the system model to identify security vulnerabilities 204. The analysis engine 124 may be used to implement this operation. The analysis engine 124 identifies possible execution paths through the program where user input can reach a dangerous function or construct. The analysis engine 124 invokes security development rules 123. Typically, the security development module 114 is deployed with a set of security development rules 123. These rules may be updated on a subscription basis from a remote computer connected to network 110. In addition to these supplied rules, a user may tailor specific security development rules for a particular application. The analysis engine 124 is a separate computational kernel and therefore it can be used with a diverse set of standard and customized security development rules 123.); 
in response to traversing the representation of the source code, identifying the one or more potential vulnerabilities(Chess, paragraph [0024-0026], The security development module 114 includes executable instructions to facilitate a static analysis of software in order to identify security vulnerabilities inherent to the structure of the software. The software includes program instructions. As discussed below, the invention is operative with diverse program instruction formats. For example, the program instruction formats may be different source or executable code formats, different machine instruction formats, and/or different program configuration file formats. Chess, paragraph [0031], A data flow analysis is then performed on the system model to identify security vulnerabilities 204. The analysis engine 124 may be used to implement this operation. The analysis engine 124 identifies possible execution paths through the program where user input can reach a dangerous function or construct. The analysis engine 124 invokes security development rules 123. Typically, the security development module 114 is deployed with a set of security development rules 123. These rules may be updated on a subscription basis from a remote computer connected to network 110. In addition to these supplied rules, a user may tailor specific security development rules for a particular application. The analysis engine 124 is a separate computational kernel and therefore it can be used with a diverse set of standard and customized security development rules 123.  Chess, paragraph [0039-0040], The sample application consists of a Java servlet and a PL/SQL package. The purpose of the application is to display an account balance to a user. The application works as follows. The Java servlet accepts an HTTP POST request that contains a parameter named "acct". This is the type of HTTP request typically generated by a web browser when a user fills out and submits a form on a web page. The "acct" parameter might be set, for example, by the user selecting an account name from a drop-down list. The servlet passes the value of the "acct" parameter to a database query. The query invokes a stored procedure in the database named "ACCT.get_balance". The stored procedure uses the parameter passed from the servlet in order to construct an SQL query. The query examines a database table named "ACCOUNTS". It returns the value in the "balance" column for the row matching the account name that is passed in. Chess, paragraph [0063-0064], If user input can be propagated to a function that has been designated as dangerous, then a vulnerability has been found, and the static analysis engine reports the vulnerability to the user. Observe that the static analysis engine 124 is relying upon one or more security development rules 123 to identify the vulnerability. In this example, the SQL select function is designated as dangerous by a security development rule, so the static analysis engine will report a vulnerability when it determines that user input can reach the SQL select invocation defined in the PL/SQL function. In particular, in this example, the output would contain at least the following information:
[0065] Vulnerability found: SQL Injection 
[0066] Entry point: AccountView.doPost:request.getParameter 
[0067] Flows to: AccountView.doPost:stmt.execute 
[0068] Flows to: ACCOUNT.get_balance 
[0069] Flows to: ACCOUNT.get_balance: SELECT 
Chess, paragraph [0070-0072], The invention identifies a variety of vulnerabilities, including C-buffer overflows, C/Java tainted input, C/Java dynamic SQL, and ordinal problems. Preferably, the security development rules include rules for tracking dangerous data transformations, for performing data processing endpoint analyses, and for probing potential data processing endpoints. Preferably, the security development module is configured to identify taint propagation problems, such as stack buffer overflows, heap buffer overflows, format string attacks, SQL injection, and known problems in popular libraries and third-party software. Further, the security development module is configured to identify ordering constraints issues, such as ordering problems (e.g., race conditions, proper access control/authentication), suspicious code, misuse of common cryptographic protocols, non-crypotographic random number generators and bad seed usage. Preferably, the security development module also supports complexity metrics for architecture analysis and semantic pattern matching. Embodiments of the invention support processing of the following languages: C; C++; Java, including JARs/classes (bytecode analysis), Java frameworks, such as JSP, J2EE/EJB, Struts, and Tapestry. Embodiments of the invention also support PHP, Perl, Python, DLLs, Unix Libraries, Object code and assembly code. Output from the security development module may be in a generic XML format.); and 
outputting the one or more potential vulnerabilities(Chess, paragraph [0032], The security vulnerabilities identified by the analysis engine 124 are reported to the user and related modules 206. The report generator 126 may be used to implement this operation.  Chess, paragraph [0070-0072], The invention identifies a variety of vulnerabilities, including C-buffer overflows, C/Java tainted input, C/Java dynamic SQL, and ordinal problems. Preferably, the security development rules include rules for tracking dangerous data transformations, for performing data processing endpoint analyses, and for probing potential data processing endpoints. Preferably, the security development module is configured to identify taint propagation problems, such as stack buffer overflows, heap buffer overflows, format string attacks, SQL injection, and known problems in popular libraries and third-party software. Further, the security development module is configured to identify ordering constraints issues, such as ordering problems (e.g., race conditions, proper access control/authentication), suspicious code, misuse of common cryptographic protocols, non-crypotographic random number generators and bad seed usage. Preferably, the security development module also supports complexity metrics for architecture analysis and semantic pattern matching. Embodiments of the invention support processing of the following languages: C; C++; Java, including JARs/classes (bytecode analysis), Java frameworks, such as JSP, J2EE/EJB, Struts, and Tapestry. Embodiments of the invention also support PHP, Perl, Python, DLLs, Unix Libraries, Object code and assembly code. Output from the security development module may be in a generic XML format.).
The Office would like to use prior art Pistoia to back up Chess to further teach limitation
outputting the one or more potential vulnerabilities (Pistoia, US 20120192161, paragraph [0025], The system of FIG. 1 and method of FIG. 2, and particularly the interaction between primary and secondary agents, may be illustrated in the context of exemplary Java.TM. source code as shown in FIG. 3, where the type of static analysis being performed is taint analysis, where untrusted values are tracked to determine whether they flow into security-sensitive program points. In the example shown in FIG. 3, the values read from the `args` array are untrusted, and the creation of a new file on the file system, accomplished by the call to `new File( . . . )`, is a security-sensitive operation. In accordance with the present invention, a primary agent is assigned to track `args`. The primary agent encounters the flow `args[0]--->fileName`, and then determines that `fileName` flows into the first (and only) formal argument of `tempDirPrefix( . . . )`. At this point, the primary agent checks whether a summary exists of the flow across the site. If no summary is available, the primary agent suspends its analysis and submits a request for `tempDirPrefix( . . . )` to be summarized assuming its first formal argument is tainted. A secondary agent is then assigned to generate the summary, resulting in the flow `arg--->return`, where `return` denotes the return value from the call. The primary agent continues its analysis using the summary, proceeds to track `tempFilePath`, and observes that the latter variable flows into the `File` constructor, at which point a vulnerability is flagged.). 
It would have been obvious to one ordinary skill in the art at the time the invention was made to use Pistoia's teaching into Chess's invention because incorporating Pistoia 's teaching would enhance Chess to identify common source code structure, regardless of naming conventions used by individual programmers.  A catalog including elemental design patterns and constructs is accessed after converting source code file into fact set in mathematical notation. The design patterns and constructs are independent of source semantic tags. The rules in the notation usable by inference engine are accessed to identify relationships between source code constructs as suggested by Pistoia (paragraphs [0021-0027]).
Claim 22 is rejected for the reasons set forth hereinabove for claim 21, Chess and Pistoia teach the method of claim 21, wherein the traversing further comprising: 
selecting an entry point into the representation of the source code(Pistoia, Fig. 1, component 100 - STATIC ANALYZER, component 102 - PRIMARY AGENT MANAGER, and paragraph [0019-0020], Reference is now made to FIG. 1 which is a conceptual illustration of a system for distributed static analysis of computer software applications in accordance with an embodiment of the present invention. In the system of FIG. 1, a static analyzer 100 is configured to statically analyze the instructions of a computer software application in accordance with conventional techniques, such as where the instructions are in the form of source code or byte code. For each entry point in the computer software application identified by static analyzer 100, a primary agent manager 102 assigns a primary agent to begin statically analyzing the computer software application from the entry point and with respect thereto. An entry point is preferably an interaction interface exposed by the computer software application to sources of interaction that are external to the computer software application.  Chess, paragraph [0063-0064], If user input can be propagated to a function that has been designated as dangerous, then a vulnerability has been found, and the static analysis engine reports the vulnerability to the user. Observe that the static analysis engine 124 is relying upon one or more security development rules 123 to identify the vulnerability. In this example, the SQL select function is designated as dangerous by a security development rule, so the static analysis engine will report a vulnerability when it determines that user input can reach the SQL select invocation defined in the PL/SQL function. In particular, in this example, the output would contain at least the following information: [0065] Vulnerability found: SQL Injection [0066] Entry point: AccountView.doPost:request.getParameter [0067] Flows to: AccountView.doPost:stmt.execute  [0068] Flows to: ACCOUNT.get_balance 
[0069] Flows to: ACCOUNT.get_balance: SELECT. Chess, paragraph [0070-0072].); 
traversing the representation of the source code at the entry point(Pistoia, Fig. 1, component 100 - STATIC ANALYZER, component 102 - PRIMARY AGENT MANAGER, and paragraph [0019-0020], Reference is now made to FIG. 1 which is a conceptual illustration of a system for distributed static analysis of computer software applications in accordance with an embodiment of the present invention. In the system of FIG. 1, a static analyzer 100 is configured to statically analyze the instructions of a computer software application in accordance with conventional techniques, such as where the instructions are in the form of source code or byte code. For each entry point in the computer software application identified by static analyzer 100, a primary agent manager 102 assigns a primary agent to begin statically analyzing the computer software application from the entry point and with respect thereto. An entry point is preferably an interaction interface exposed by the computer software application to sources of interaction that are external to the computer software application.   .  Chess, paragraph [0063-0064], If user input can be propagated to a function that has been designated as dangerous, then a vulnerability has been found, and the static analysis engine reports the vulnerability to the user. Observe that the static analysis engine 124 is relying upon one or more security development rules 123 to identify the vulnerability. In this example, the SQL select function is designated as dangerous by a security development rule, so the static analysis engine will report a vulnerability when it determines that user input can reach the SQL select invocation defined in the PL/SQL function. In particular, in this example, the output would contain at least the following information: [0065] Vulnerability found: SQL Injection [0066] Entry point: AccountView.doPost:request.getParameter [0067] Flows to: AccountView.doPost:stmt.execute  [0068] Flows to: ACCOUNT.get_balance 
[0069] Flows to: ACCOUNT.get_balance: SELECT. Chess, paragraph [0070-0072].); 
monitoring history of the traverse(Pistoia, fig. 2 and paragraph [0024-0025], When a primary agent encounters a call site (204), such as a reference to a method, procedure, or function that is external to the current method/procedure/function being analyzed, the primary agent checks whether a static analysis summary of the external method/procedure/function exists (206). If the summary exists, such as where the summary was previously requested, generated, and retained, the summary is provided to the primary agent which proceeds with its analysis using the summary (214).  .  Chess, paragraph [0063-0064], If user input can be propagated to a function that has been designated as dangerous, then a vulnerability has been found, and the static analysis engine reports the vulnerability to the user. Observe that the static analysis engine 124 is relying upon one or more security development rules 123 to identify the vulnerability. In this example, the SQL select function is designated as dangerous by a security development rule, so the static analysis engine will report a vulnerability when it determines that user input can reach the SQL select invocation defined in the PL/SQL function. In particular, in this example, the output would contain at least the following information: [0065] Vulnerability found: SQL Injection [0066] Entry point: AccountView.doPost:request.getParameter [0067] Flows to: AccountView.doPost:stmt.execute  [0068] Flows to: ACCOUNT.get_balance 
[0069] Flows to: ACCOUNT.get_balance: SELECT. Chess, paragraph [0070-0072].); 
continuing traversing the representation of the source code based at least in part on the history of the traverse(Pistoia, Fig. 2, and paragraph [0024], If the summary does not exist, the primary agent preferably suspends its analysis (208) and issues a request for a static analysis summary of the external method/procedure/function (210), such as by placing the request on a designated queue of requests for static analysis summaries. When making the request, the primary agent preferably specifies one or more arguments based on the characteristics of the call site. A secondary agent is assigned to statically analyze the called external method/procedure/function as per the request, and produce an analysis summary thereof in accordance with conventional techniques (212). The summary is provided to the requesting primary agent which proceeds with its analysis using the summary (214). The results of the static analysis performed using the method of FIG. 2 may be presented to a user in accordance with conventional techniques via a computer-controlled output device such as a printer or computer monitor.  Paragraph [0025], In accordance with the present invention, a primary agent is assigned to track `args`. The primary agent encounters the flow `args[0]--->fileName`, and then determines that `fileName` flows into the first (and only) formal argument of `tempDirPrefix( . . . )`. At this point, the primary agent checks whether a summary exists of the flow across the site… The primary agent continues its analysis using the summary, proceeds to track `tempFilePath`, and observes that the latter variable flows into the `File` constructor, at which point a vulnerability is flagged.  .  Chess, paragraph [0063-0064], If user input can be propagated to a function that has been designated as dangerous, then a vulnerability has been found, and the static analysis engine reports the vulnerability to the user. Observe that the static analysis engine 124 is relying upon one or more security development rules 123 to identify the vulnerability. In this example, the SQL select function is designated as dangerous by a security development rule, so the static analysis engine will report a vulnerability when it determines that user input can reach the SQL select invocation defined in the PL/SQL function. In particular, in this example, the output would contain at least the following information: [0065] Vulnerability found: SQL Injection [0066] Entry point: AccountView.doPost:request.getParameter [0067] Flows to: AccountView.doPost:stmt.execute  [0068] Flows to: ACCOUNT.get_balance 
[0069] Flows to: ACCOUNT.get_balance: SELECT. Chess, paragraph [0070-0072].);
in response to identifying the one or more potential vulnerabilities, storing an indication of the one or more potential vulnerabilities(Pistoia, paragraph [0023-0025], Any of the elements shown in FIG. 1 are preferably executed by or otherwise made accessible to a computer 114 such as by implementing any of the elements in computer hardware and/or in computer software embodied in a physically-tangible, non-transitory, computer-readable medium in accordance with conventional techniques. The results of the static analysis performed by the system of FIG. 1 may be presented by static analyzer 100 to a user in accordance with conventional techniques via a computer-controlled output device such as a printer or computer monitor of computer 114.  .  Chess, paragraph [0063-0064], If user input can be propagated to a function that has been designated as dangerous, then a vulnerability has been found, and the static analysis engine reports the vulnerability to the user. Observe that the static analysis engine 124 is relying upon one or more security development rules 123 to identify the vulnerability. In this example, the SQL select function is designated as dangerous by a security development rule, so the static analysis engine will report a vulnerability when it determines that user input can reach the SQL select invocation defined in the PL/SQL function. In particular, in this example, the output would contain at least the following information: [0065] Vulnerability found: SQL Injection [0066] Entry point: AccountView.doPost:request.getParameter [0067] Flows to: AccountView.doPost:stmt.execute  [0068] Flows to: ACCOUNT.get_balance 
[0069] Flows to: ACCOUNT.get_balance: SELECT. Chess, paragraph [0070-0072].).  
Claim 23 is rejected for the reasons set forth hereinabove for claim 21, Chess and Pistoia teach the method of claim 21, wherein the traversing further comprising: 
selecting an entry point of the representation of the source code, wherein the entry point is a first method body( Pistoia, paragraph [0019]For each entry point in the computer software application identified by static analyzer 100, a primary agent manager 102 assigns a primary agent to begin statically analyzing the computer software application from the entry point and with respect thereto. An entry point is preferably an interaction interface exposed by the computer software application to sources of interaction that are external to the computer software application. Primary agent manager 102 may assign multiple primary agents to statically analyze the computer software application concurrently, with each primary agent statically analyzing the computer software application from a different entry point. .  Chess, paragraph [0063-0064], If user input can be propagated to a function that has been designated as dangerous, then a vulnerability has been found, and the static analysis engine reports the vulnerability to the user. Observe that the static analysis engine 124 is relying upon one or more security development rules 123 to identify the vulnerability. In this example, the SQL select function is designated as dangerous by a security development rule, so the static analysis engine will report a vulnerability when it determines that user input can reach the SQL select invocation defined in the PL/SQL function. In particular, in this example, the output would contain at least the following information: [0065] Vulnerability found: SQL Injection [0066] Entry point: AccountView.doPost:request.getParameter [0067] Flows to: AccountView.doPost:stmt.execute  [0068] Flows to: ACCOUNT.get_balance 
[0069] Flows to: ACCOUNT.get_balance: SELECT. Chess, paragraph [0070-0072].); 
pushing metadata associated with the entry point to a stack, wherein the metadata is a reference to a class declaration of the first method body((Pistoia, Fig. 2, component 214 – PROVIDE SUMMARY TO PRIMARY AGENT, and paragraph [0021-0025], A secondary agent manager 110 assigns a secondary agent to statically analyze the called external method/procedure/function and produce an analysis summary thereof in accordance with conventional techniques. Secondary agent manager 110 may assign multiple secondary agents to statically analyze the computer software application concurrently.  .  Chess, paragraph [0063-0064], If user input can be propagated to a function that has been designated as dangerous, then a vulnerability has been found, and the static analysis engine reports the vulnerability to the user. Observe that the static analysis engine 124 is relying upon one or more security development rules 123 to identify the vulnerability. In this example, the SQL select function is designated as dangerous by a security development rule, so the static analysis engine will report a vulnerability when it determines that user input can reach the SQL select invocation defined in the PL/SQL function. In particular, in this example, the output would contain at least the following information: [0065] Vulnerability found: SQL Injection [0066] Entry point: AccountView.doPost:request.getParameter [0067] Flows to: AccountView.doPost:stmt.execute  [0068] Flows to: ACCOUNT.get_balance 
[0069] Flows to: ACCOUNT.get_balance: SELECT. Chess, paragraph [0070-0072].); 
traversing the first method body of the representation of the source code(Pistoia, paragraph [0024], Reference is now made to FIG. 2 which is a flowchart illustration of an exemplary method of operation of the system of FIG. 1 in accordance with an For each entry point in the computer software application identified during the static analysis, a primary agent is assigned to begin statically analyzing the computer software application from the entry point and with respect thereto (202).  .  Chess, paragraph [0063-0064], If user input can be propagated to a function that has been designated as dangerous, then a vulnerability has been found, and the static analysis engine reports the vulnerability to the user. Observe that the static analysis engine 124 is relying upon one or more security development rules 123 to identify the vulnerability. In this example, the SQL select function is designated as dangerous by a security development rule, so the static analysis engine will report a vulnerability when it determines that user input can reach the SQL select invocation defined in the PL/SQL function. In particular, in this example, the output would contain at least the following information: [0065] Vulnerability found: SQL Injection [0066] Entry point: AccountView.doPost:request.getParameter [0067] Flows to: AccountView.doPost:stmt.execute  [0068] Flows to: ACCOUNT.get_balance 
[0069] Flows to: ACCOUNT.get_balance: SELECT. Chess, paragraph [0070-0072].);
identifying the one or more potential vulnerabilities(Pistoia, paragraph [0022], When checking for an existing summary or making the request for a summary, the primary agent preferably specifies an abstraction of concrete values for each argument required by the call site, where an abstraction is computed based on the characteristics of the call site and the state of the computer software application when the call site is reached, where the state is determined as part of the static analysis performed by the primary agent. For example, if the call is to a method `foo( )` that takes an argument of type `int`, and the static analysis abstraction of `int` is `odd` or `even`, then the request may be for a summary of the behavior of `foo( )` given an `odd` integer if the current state indicates that the argument will most likely be odd.  Paragraph [0025], `. The primary agent encounters the flow `args[0]--->fileName`, and then determines that `fileName` flows into the first (and only) formal argument of `tempDirPrefix( . . . )`. At this point, the primary agent checks whether a summary exists of the flow across the site. If no summary is available, the primary agent suspends its analysis and submits a request for `tempDirPrefix( . . . )` to be summarized assuming its first formal argument is tainted. A secondary agent is then assigned to generate the summary, resulting in the flow `arg-Chess, paragraph [0063-0064], If user input can be propagated to a function that has been designated as dangerous, then a vulnerability has been found, and the static analysis engine reports the vulnerability to the user. Observe that the static analysis engine 124 is relying upon one or more security development rules 123 to identify the vulnerability. In this example, the SQL select function is designated as dangerous by a security development rule, so the static analysis engine will report a vulnerability when it determines that user input can reach the SQL select invocation defined in the PL/SQL function. In particular, in this example, the output would contain at least the following information: [0065] Vulnerability found: SQL Injection [0066] Entry point: AccountView.doPost:request.getParameter [0067] Flows to: AccountView.doPost:stmt.execute  [0068] Flows to: ACCOUNT.get_balance 
[0069] Flows to: ACCOUNT.get_balance: SELECT. Chess, paragraph [0070-0072].); and 
in response to identifying a first method invocation in the first method body, determining a first concrete implementation of the first method invocation to traverse (Pistoia, fig. 2 and paragraph [0024], A secondary agent is assigned to statically analyze the called external method/procedure/function as per the request, and produce an analysis summary thereof in accordance with conventional techniques (212). The summary is provided to the requesting primary agent which proceeds with its analysis using the summary (214).  .  Chess, paragraph [0063-0064], If user input can be propagated to a function that has been designated as dangerous, then a vulnerability has been found, and the static analysis engine reports the vulnerability to the user. Observe that the static analysis engine 124 is relying upon one or more security development rules 123 to identify the vulnerability. In this example, the SQL select function is designated as dangerous by a security development rule, so the static analysis engine will report a vulnerability when it determines that user input can reach the SQL select invocation defined in the PL/SQL function. In particular, in this example, the output would contain at least the following information: [0065] Vulnerability found: SQL Injection [0066] Entry point: AccountView.doPost:request.getParameter [0067] Flows to: AccountView.doPost:stmt.execute  [0068] Flows to: ACCOUNT.get_balance 
[0069] Flows to: ACCOUNT.get_balance: SELECT. Chess, paragraph [0070-0072].). 
 As per claim 31, this is the system claim to method claim 21. Therefore, it is rejected for the same reasons as above.
As per claim 32, this is the system claim to method claim 22. Therefore, it is rejected for the same reasons as above.
As per claim 33, this is the system claim to method claim 23. Therefore, it is rejected for the same reasons as above.

As per claim 41, this is the medium claim to method claim 21. Therefore, it is rejected for the same reasons as above.
As per claim 42, this is the medium claim to method claim 22. Therefore, it is rejected for the same reasons as above.
As per claim 43, this is the medium claim to method claim 23. Therefore, it is rejected for the same reasons as above.

Conclusion
8.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUY KHUONG THANH NGUYEN whose telephone number is (571)270-7139 and fax number (571)270-7139.  The examiner can normally be reached on M-F 8 to 5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DUY KHUONG T NGUYEN/           Primary Examiner, Art Unit 2199