DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement

The information disclosure statement (IDS) submitted on 6/12/2019 and 11/03/2020 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Specification

The specification is objected to under 37 C.F.R. 1.74, which requires the detailed description to refer to the different parts of the figures by use of reference letters or reference numerals. Implicit in this rule is that the detailed description correctly reference the figures. In this application the figures and detailed description are inconsistent as explained below.

In page 3 Par. (0034) line 3-5, the specification refers to reference character 22 in Figure 1 as “software application, client/server application, and App under test”
In page 3 Par. (0035) line 1 and line 17, the specification refers to reference character 34 in Figure 1 as “test management station and station”
In Page 4 Par. (0037) line 11, the specification refers to reference character 46 in Figure 1 as “output path and path”

Claim Objections

Claim 1-7, 9-16, 18-25, and 27-28 objected to because of the following informalities:  

In regards to claims 3-4, 7, 9, 12-13, 15, 18, 21-22, 25, and 27-28, the applicant uses the limitation “respect to the control flow path” or “the control flow path”. This becomes unclear because the limitation defined in independent claim 1, 10, 19, and 28 uses the limitation “a respective control flow path”   and is properly used in dependent claims 6, 16 and 24 where claims 6, 16 and 24 refer back reciting “the respective control flow path”. The applicant should follow the pattern of which the limitation was called/defined and not address the limitation in some areas of the claim while renaming or re-addressing the limitation in another fashion elsewhere in the claims. It will be broadly and reasonably interpreted that the limitation “a respective control flow path” is the same limitation being referred to throughout the claims in regards to the control flow path.

“control flow path” that is not defined or explained in the specifications. It will be broadly and reasonably interpreted that the “control flow path” is a source address, destination address, IP address, or the progression to start and finish of the execution.
Appropriate correction is required.



Claim Rejections - 35 USC § 112

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claims 1-3, 5-6, 10-12, 14, 16, 19-21, 23-24, and 28  rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention


“database”. This becomes unclear because in independent claim 1, 10, 19, and 28 the applicant already calls and defines the limitation as “Vulnerability database” as well as it becomes unclear as to which database the applicant is referring to. In Figure 1 reference character 28, the applicant shows another database storing memory, it becomes unclear if the applicant is referring to this “database” throughout the claims or if the applicant is referring to the “Vulnerability database”. This fails to show consistency to follow the limitation already defined in the independent claims as well as to clearly define which database is being used throughout the claims.



In regards to claims 3, 12, 21, and 28, the applicant uses the limitation “the signature”. This becomes unclear as to which signature the applicant is referring to, in the claims the applicant calls and defines limitations such as “a further signature”, “a new signature” and “a respective signature”. It becomes unclear if the applicant is trying to refer to the limitation “a respective signature” that is already defined.  The applicant fails to call an already defined limitation making it unclear on which signature the limitation “the signature” is referring to. The applicant fails to follow the consistency and pattern of the limitation already defined because in claims 8, 10, 17, 19, 26, and 28 the limitation “a respective signature” is used. 

Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim 1-5, 7-15, 18-23, and 25-28 is/are rejected under 35 U.S.C. 103 as being unpatentable over Williams U.S Pub. No. 20140165204 in view of Sheridan U.S Pub. No. 20140283081.

In regards to Claim 1, Williams teaches a method for testing a software application program, comprising: (0002 “field of vulnerability detection and testing in computer systems.”) (0004 “detecting the presence of vulnerabilities in a software application.”)
storing in a vulnerability database records of security vulnerabilities identified in execution of the program, each record comprising a location field containing a respective signature indicative of a location in the execution at which a corresponding security vulnerability was detected and a metadata field indicative of a respective control flow path on which the corresponding security vulnerability occurred; (Fig. 8 label 800-802"<context>" and "method name"; trace (record) location field  (URL) of security vulnerability, event field (respective signature);( Par. (0116) “the vulnerability detection system 200 can have the full runtime information along with the location of the problem in the code of the application) (Par. (0034) “The tracking module 240 collects the generated event indicators from the application 230 in a database and analyses the stored indicators for the presence of vulnerabilities. The analysis may be performed during the execution of the application”; Event indicator serves as an identifier or signature of the location in which the vulnerability was detected) Fig. 8, and par. 88 Stack 803; serves as the control flow path; (Par. (0075) “The event indicators that are related to control flow or scope can also be tracked, but because there is no associated data with these the event indicators, these types of events can be tracked using the current thread of execution)
detecting a further security vulnerability at a given location in a subsequent execution of the program; (Par. 86, "classify a new trace"; “The duplicate detection analysis may classify the new trace as a true duplicate of previous traces or as a potential duplicate. The tracking system may then choose  outputting an indication to a developer of the program of an occurrence of a new security vulnerability. (Par. (0111) “the vulnerability detection system 200 would be accessible directly from the developer's integrated development environment (IDE) and would produce warnings about detected vulnerabilities in the developer's code. Identified vulnerabilities would be displayed in the developer's IDE with suggested fixes. In addition, a profiling tool can integrate with the vulnerability detection system 200 to discover vulnerabilities during software development. Any vulnerability discovered would be logged as part of the testing results; indicating to developer new vulnerability), (Par. (0089) “a user can browse the results or be alerted about existence of vulnerabilities immediately after vulnerabilities are detected and/or while the application 230 is still executing; user (developer) being alerted (indicated) on new vulnerability).
However Williams does not teach, computing a new signature of the given location and comparing the new signature to the location field of the records in the database, and when no record is found to match the new signature, outputting an indication to a developer of the program of an occurrence of a new security vulnerability. 
Wherein Sheridan teaches computing a new signature of the given location and comparing the new signature to the location field of the records in the database (Par. (0043) “a signature of a potential vulnerability of the source code is generated. Signatures of one or more potential vulnerabilities may be generated.” (Par. (0037) “The signature generator 224 may use the collected metadata in one or more of a variety of ways so as to generate a unique signature associated with the vulnerability”) (Par. (0038) “Correlating the generated signature with previously stored signatures may include comparing the signatures with one another to determine whether they are identical or are substantially similar to one another.”; new signature is compared to the signature in the database) and when no record is found to match the new signature, (Par. (0007) “When it is determined that the generated signature does not match a previously stored signature, the potential vulnerability the potential vulnerability may be characterized as having the generated signature as a new vulnerability.)
Given the teachings as a whole it is rationale to combine the references of Williams and Sheridan because of the analogous field of invention in regards to Vulnerability testing within a software application. Sheridan contributes and describes the use of signatures to match and compare vulnerabilities detected that are new or recurring. This allows a more efficient method of protecting software applications from potential vulnerabilities as well as creating system to define detect and analyze various vulnerabilities. By having signatures correlating to the location and path the vulnerabilities has taken place it becomes it provides accountability and a system of checks to match which recurrent , new or resolved vulnerability has taken place. Thus leads to faster and more efficient solutions on executed programs. The motivation to combine these references is 

In regards to Claim 2, in combination with the teaching of Williams and Sheridan, Williams teaches the method according to claim 1, and comprising adding a new record to the database with respect to the new security vulnerability. (Par. 111 Any vulnerability discovered would be logged as part of the testing results.) (Par.89 “the tracking module 240 analyzes the stored event indicators and detects any possible vulnerabilities based on the analysis. If at least one vulnerability is detected (step 955), the tracking module 240 generates at least one trace related to the vulnerability; new trace (record) with respect to new vulnerability; new trace (record) to the database for new vulnerability)


In regards to Claim 3, in combination with the teaching of Williams and Sheridan, Sheridan teaches the method according to claim 1, and comprising: extracting metadata with respect to the control flow path on which the further security vulnerability occurred; (Par. (0036) “The metadata collector 223 may collect various information about one or more nodes  when the new signature is found to match the signature of a given record in the database, comparing the extracted metadata to the metadata field in the given record in order to classify the further security vulnerability as a recurrent or new security vulnerability. (Figure 5 label 504 Par. (0059) “For example, each generated signature may be compared to all of the previously stored signatures. If the generated signature is identical to or substantially similar to at least one of the previously stored signatures, then it may be determined that the generated signature matches the previously stored signatures. If there is not a match, then processing continues to operation 506, where it is determined that a new vulnerability is detected. If there is a match, then processing continues to operation 508, where it is determined that the vulnerability is a duplicate.”)
Given the teachings as a whole it becomes rationale for one of ordinary skill in the art to combine the teachings of Williams with the teachings of Sheridan because of the analogous field of vulnerability testing on software applications. Sheridan provides a method of comparing the matched signature corresponding the vulnerability that occurred, this allows clarity for the software developer to classify and organize which vulnerability is recurring or new. The motivation to combine these references is because to address the issue of vulnerabilities the software developers need fast efficient solutions, to do so the organization and classification of each vulnerability is essential so that repeat problems detected later on will not come as a surprise and newer vulnerabilities 

In regards to Claim 4, in combination with the teaching of Williams and Sheridan, Sheridan teaches the method according to claim 3, wherein the metadata field in each record contains a hash computed over the location, the control flow path, and a type of the corresponding security vulnerability. (Par. (0053) “For example, the signature generator 224 may apply a hash function to the metadata and use the output of the hash function as the signature.) (Par. (0022) “then the SCA engine generates a hash of all the collected meta-data. This resulting hash of meta-data represents the unique signature of the vulnerability. This unique signature is generated using contextual information that will persist over the lifetime of the application unless the codebase containing the vulnerability dramatically changes. All unique vulnerability signatures produced by a scan are saved and used for comparison when the same application is re-scanned.; hash contains information computed over location, control flow path and vulnerability), (Par. (0078) “The SQL injection class contains two distinct SQL injection vulnerabilities, at line 19 and 27 respectively. […]  SCA engine to produce a hash label; corresponding vulnerability (SQL injection) produces hash over location and path of vulnerability; hash computed over metadata that contains the location (source code with URL) control flow path (source and destination address) and corresponding vulnerability (SQL injection)).
and wherein comparing the extracted metadata comprises computing the hash for the further security vulnerability, and matching the computed hash to the hash in the given record. (Par. (0084) “All of this information is then hashed together and represents the vulnerability signature. If a subsequent scan matches the hash value, then the SCA engine has high confidence that it is dealing with the same vulnerability in the same contextually similar location in code.).
Given the teachings as a whole it becomes rationale to one of ordinary skill to combine the teachings of Williams with the teachings of Sheridan because of the analogous field of vulnerability testing on software applications. Sheridan provides a hash that is computed and compared to other security vulnerabilities on the record. This allows a clear distinction for software developers to be able to keep track of recurring or new vulnerabilities on the software, this will lead to the improvement of the system because with each hash corresponding to the exact vulnerability it will in turn allow the software developers to come up with better solutions by separating the old from new vulnerabilities. The motivation to combine these references are not only for the betterment of the software developers but to create a clear self-sufficient vulnerability detection software that can combat new security vulnerabilities while dealing with reoccurring ones.

In regards to Claim 5, in combination with the teaching of Williams and Sheridan, 
indicating to the developer of the program that the corresponding security vulnerability has been resolved. (Par. (0111) “the vulnerability detection system 200 would be accessible directly from the developer's integrated development environment (IDE) and would produce warnings about detected vulnerabilities in the developer's code. Identified vulnerabilities would be displayed in the developer's IDE with suggested fixes. In addition, a profiling tool can integrate with the vulnerability detection system 200 to discover vulnerabilities during software development. Any vulnerability discovered would be logged as part of the testing results; indicating to developer new vulnerability), (Par. (0089) “a user can browse the results or be alerted about existence of vulnerabilities immediately after vulnerabilities are detected and/or while the application 230 is still executing; user (developer) being alerted (indicated) on new vulnerability).
However Williams does not teach the method according to claim 1, and comprising: traversing, in the subsequent execution of the program, a further location at which no security vulnerability is detected; computing a further signature of the further location and comparing the further signature to the location field of the records in the database.
Wherein Sheridan teaches the method according to claim 1, and comprising: traversing, in the subsequent execution of the program, a further location at which no security vulnerability is detected; (Par. 0050 “If no vulnerability is detected, in some embodiments, the traverser may continue to 
computing a further signature of the further location and comparing the further signature to the location field of the records in the database (Par. (0043) “a signature of a potential vulnerability of the source code is generated. Signatures of one or more potential vulnerabilities may be generated.”) (Par. (0037) “The signature generator 224 may use the collected metadata in one or more of a variety of ways so as to generate a unique signature associated with the vulnerability”) (Par. (0038) “Correlating the generated signature with previously stored signatures may include comparing the signatures with one another to determine whether they are identical or are substantially similar to one another.”; new signature is compared to the signature in the database) (Par. (0038) “Correlating the generated signature with previously stored signatures may include comparing the signatures with one another to determine whether they are identical or are substantially similar to one another. For example, correlator 225 may store generated signatures of detected potential vulnerabilities in the current signatures repository 226, and may have previously stored signatures in repository 227. Correlator 225 may then compare the recently stored signatures with those previously stored to determine whether there are any matches.; computing previous stored signature( further signature) with detected vulnerabilities (at a further location) with repository (storage)).
and when one of the records is found to match the new signature, (Par. 0061 “If it is determined that previously stored signatures exist but there is 
Given the teachings as a whole it becomes rationale to one of ordinary skill in the art to combine the teachings of Williams with the teachings of Sheridan over the analogous art of vulnerability testing in software applications. Sheridan provides a thorough detections system even after the vulnerability test has been executed, this provides a second scope for software developers for possible vulnerability at locations that have not been detected. This allows a system of self-check for hidden vulnerabilities that didn’t appear during execution to be traversed and readdressed. This provides the software developers reassurance and a system to classify group and match signatures with its corresponding vulnerability. The motivation to combine these references is because as technology advances and new vulnerabilities arise software developers need to continue to be familiar with new vulnerabilities.  Sheridan displays a method of strengthening the vulnerability testing and allows software developers to address possible vulnerabilities that did not appear to in turn allow the developers to come up with better solutions to improve the vulnerability detection on the software. 



the method according to claim 1, wherein the control flow path in the metadata field is identified by at least a source and a sink of data processed at the location of the corresponding security vulnerability. (Par. (0029) “to identify is the flow of untrusted data from its entry point, known as a "source," to a vulnerable Application Programming Interface (API); identified source address (control flow path), (Figure 14 “Jsp Writerlmpl.line 21”; signifies the location of the identified vulnerability in the URL (location) . (Par. (0096) “For example, the summary section 1401 can include a graphical or textual illustration that identifies propagation of untrusted data from its entry point ("source") to a vulnerable API ("sink").”). 

In regards to Claim 8, in combination with the teaching of Williams and Sheridan, Williams teaches the method according to 1, wherein the location at which each of the security vulnerabilities was found to occur corresponds to a request submitted to a server running the program, (Par. (0052) Other important types of active sensors may include monitors for HTTP requests and responses and application server configuration. HTTP request and response sensors capture the HTTP traffic either received at or transmitted from the application server. HTTP response and request sensors may then analyze the captured HTTP traffic for vulnerabilities.), (Par. (0103) “ When the application handles a replay of an HTTP request associated with a previously discovered vulnerability, but the vulnerability is no longer present, some implementations 
and wherein the request is normalized by replacing variable parameters in the request with constant placeholders prior to computing the respective signature. (Figure 8 Java object <parameter types> replaced with placeholders)(Par. (0088) “This data 802 can include input parameters, output values, and stack 803) (Par. (0088) “The trace 800 includes one or more the event fields 801 associated with event indicators received from the instrumented application; event field contains respective signature (event indicator) prior to the execution of the vulnerability test)


In regards to Claim 9, in combination with the teaching of Williams and Sheridan, Williams teaches the method according to claim 1, and comprising, prior to the execution of the program, instrumenting the program with instructions configured to detect the security vulnerabilities and output the location and metadata with respect to the control flow path of each of the security vulnerabilities. (Par. (0033) “The vulnerability detection system 200 inserts software sensors into each of the methods designated by the events in 


In regards to Claim 10 a combination of Williams and Sheridan, Williams teaches an apparatus for testing a software application program, comprising: a memory: (Par. (0118) the system 2000 can be included in the application server 102 executing the vulnerability detection system 200. The system 2000 includes a processor 2010, a memory 2020, a storage device 2030”; Figure 20 label 2000 is the apparatus)
A memory (Figure 20 label 2020), which is configured to store a vulnerability database containing records of security vulnerabilities identified in execution of the program, each record comprising a location field containing a respective signature indicative of a location in the execution at which a corresponding security vulnerability was detected and a metadata field indicative of a respective control flow path on which the corresponding security vulnerability occurred; (Fig. 8 label 800-802"<context>" and "method name"; trace (record) location field  (URL) of security vulnerability, event field (respective signature);( Par. (0116) “the vulnerability detection system 200 can have the full runtime information along with the location of the problem in the code of the application) (Par. (0034) “The tracking module 240 collects the generated event indicators from the application 230 in a database and analyses the stored indicators for the presence of 
and a processor (Figure 20 label 2010), which is configured to detect a further security vulnerability at a given location in a subsequent execution of the program, (Par. 86,  "classify a new trace"; “duplicate detection may be based on a combination of details of the vulnerability, optionally including a dynamic vulnerability title, HTTP parameters; detect vulnerability based on HTTP parameters (a given location) , “The duplicate detection analysis may classify the new trace as a true duplicate of previous traces or as a potential duplicate. The tracking system may then choose to track all traces reported, discard duplicates, or automatically group duplicates in the user interface so that they may be viewed as a single vulnerability while still allowing individual duplicates to be analyzed if necessary.; tracking system identifies a possible duplicate (further) vulnerability at a given location ).  
To output an indication to a developer of the program of an occurrence of a new security vulnerability. (Par. (0111) “the vulnerability detection system 200 would be accessible directly from the developer's integrated development environment (IDE) and would produce warnings about 
However Williams does not teach, to compute a new signature of the given location and comparing the new signature to the location field of the records in the database, and when no record is found to match the new signature, to output an indication to a developer of the program of an occurrence of a new security vulnerability.
Wherein Sheridan teaches, to compute a new signature of the given location and comparing the new signature to the location field of the records in the database, and when no record is found to match the new signature, (Par. (0043) “a signature of a potential vulnerability of the source code is generated. Signatures of one or more potential vulnerabilities may be generated.”) (Par. (0037) “The signature generator 224 may use the collected metadata in one or more of a variety of ways so as to generate a unique signature associated with the vulnerability”) (Par. (0038) “Correlating the generated signature with previously stored signatures may include comparing the 
Given the teachings as a whole it is rationale to combine the references of Williams and Sheridan because of the analogous field of invention in regards to Vulnerability testing within a software application. Sheridan contributes and describes the use of signatures to match and compare vulnerabilities detected that are new or recurring. This allows a more efficient method of protecting software applications from potential vulnerabilities as well as creating system to define detect and analyze various vulnerabilities. By having signatures correlating to the location and path the vulnerabilities has taken place it becomes it provides accountability and a system of checks to match which recurrent , new or resolved vulnerability has taken place. Thus leads to faster and more efficient solutions on executed programs. The motivation to combine these references is because Williams and Sheridan provide a secure and trusted method for software developers to strengthen and combat various vulnerability attacks on their systems. By matching the database records with the signature that correlates to where the vulnerability was found this allows the fast and thorough process of vulnerability detection and resolution for many software applications being executed. 

In regards to Claim 11 and 20, in combination with the teaching of Williams and Sheridan, Williams and Sheridan discuss all the limitation stated in Claim 2 and is thereby rejected on the same grounds.

In regards to Claim 12 and 21, in combination with the teaching of Williams and Sheridan, Williams and Sheridan discuss all the limitation stated in Claim 3 and is thereby rejected on the same grounds.

In regards to Claim 13 and 22, in combination with the teaching of Williams and Sheridan, Williams and Sheridan discuss all the limitation stated in Claim 4 and is thereby rejected on the same grounds.

In regards to Claim 14 and 23, in combination with the teaching of Williams and Sheridan, Williams and Sheridan discuss all the limitation stated in Claim 5 and is thereby rejected on the same grounds.

In regards to Claim 15 and 25, in combination with the teaching of Williams and Sheridan, Williams and Sheridan discuss all the limitation stated in Claim 7 and is thereby rejected on the same grounds.



In regards to Claim 18 and 27, in combination with the teaching of Williams and Sheridan, Williams and Sheridan discuss all the limitation stated in Claim 9 and is thereby rejected on the same grounds.

In regards to Claim 19 Williams teaches, a computer software product for testing a software application program, the product comprising a non-transitory computer-readable medium (Figure 20 label 2030; computer readable medium, (Par. (0121) “The features described can be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them.) in which program instructions are stored, which instructions, when read by a computer, cause the computer to store a vulnerability database containing records of security vulnerabilities identified in execution of the program, each record comprising a location field containing a respective signature indicative of a location in the execution at which a corresponding security vulnerability was detected and a metadata field indicative of a respective control flow path on which the corresponding security vulnerability occurred, (Fig. 8 label 800-802"<context>" and "method name"; trace (record) location field  (URL) of security vulnerability, event field (respective signature);( Par. (0116) “the wherein the instructions cause the computer to detect a further security vulnerability at a given location in a subsequent execution of the program, ( (Par. 86,  "classify a new trace"; “duplicate detection may be based on a combination of details of the vulnerability, optionally including a dynamic vulnerability title, HTTP parameters; detect vulnerability based on HTTP parameters (a given location), “The duplicate detection analysis may classify the new trace as a true duplicate of previous traces or as a potential duplicate. The tracking system may then choose to track all traces reported, discard duplicates, or automatically group duplicates in the user interface so that they may be viewed as a single vulnerability while still allowing individual duplicates to be analyzed if necessary.; tracking system identifies a possible duplicate (further) vulnerability at a given location ).
To output an indication to a developer of the program of an occurrence of a new security vulnerability. (Par. (0111) “the vulnerability detection system 200 would be accessible directly from the developer's integrated development environment (IDE) and would produce warnings about detected vulnerabilities in the developer's code. Identified vulnerabilities would be displayed in the developer's IDE with suggested fixes. In addition, a profiling tool can integrate with the vulnerability detection system 200 to discover vulnerabilities during software development. Any vulnerability discovered would be logged as part of the testing results; indicating to developer new vulnerability), (Par. (0089) “a user can browse the results or be alerted about existence of vulnerabilities immediately after vulnerabilities are detected and/or while the application 230 is still executing; user (developer) being alerted (indicated) on new vulnerability).
However Williams does not teach, to compute a new signature of the given location and comparing the new signature to the location field of the records in the database, and when no record is found to match the new signature, to output an indication to a developer of the program of an occurrence of a new security vulnerability.
Wherein Williams teaches to compute a new signature of the given location and comparing the new signature to the location field of the records in the database, and when no record is found to match the new signature (Par. (0043) “a signature of a potential vulnerability of the source code is generated. Signatures of one or more potential vulnerabilities may be 
Given the teachings as a whole it is rationale to combine the references of Williams and Sheridan because of the analogous field of invention in regards to Vulnerability testing within a software application. Sheridan contributes and describes the use of signatures to match and compare vulnerabilities detected that are new or recurring. This allows a more efficient method of protecting software applications from potential vulnerabilities as well as creating system to define detect and analyze various vulnerabilities. By having signatures correlating to the location and path the vulnerabilities has taken place it becomes it provides accountability and a system of checks to match which recurrent , new or resolved vulnerability has taken place. Thus leads to faster and more efficient solutions on executed programs. The motivation to combine these references is because Williams and Sheridan provide a secure and trusted method for software developers to strengthen and combat various vulnerability attacks on 


In regards to Claim 28, Williams teaches a method for testing a software application program, comprising: (0002 “field of vulnerability detection and testing in computer systems.”) (0004 “detecting the presence of vulnerabilities in a software application.”)
storing in a vulnerability database records of security vulnerabilities identified in execution of the program, each record comprising a location field containing a respective signature indicative of a location in the execution at which a corresponding security vulnerability was detected and a metadata field indicative of a respective control flow path on which the corresponding security vulnerability occurred; (Fig. 8 label 800-802"<context>" and "method name"; trace (record) location field  (URL) of security vulnerability, event field (respective signature);( Par. (0116) “the vulnerability detection system 200 can have the full runtime information along with the location of the problem in the code of the application) (Par. (0034) “The tracking module 240 collects the generated event indicators from the application 230 in a database and analyses the stored indicators for the presence of vulnerabilities. The analysis may be performed during the execution of the 
detecting a further security vulnerability at a given location in a subsequent execution of the program; (Par. 86, "classify a new trace"; “The duplicate detection analysis may classify the new trace as a true duplicate of previous traces or as a potential duplicate. The tracking system may then choose to track all traces reported, discard duplicates, or automatically group duplicates in the user interface so that they may be viewed as a single vulnerability while still allowing individual duplicates to be analyzed if necessary.; tracking system identifies a possible duplicate (further) vulnerability at a given location ).
However Williams does not teach computing a new signature of the given location and comparing the new signature to the location field of the records in the database; extracting metadata with respect to the control flow path on which the further security vulnerability occurred; and when the new signature is found to match the signature of a given record in the database, comparing the extracted metadata to the metadata field in the given record in order to classify the further security vulnerability as a recurrent or new security vulnerability.
Wherein Sheridan teaches computing a new signature of the given location and comparing the new signature to the location field of the records in the database; (Par. (0043) “a signature of a potential vulnerability of the source code is generated. Signatures of one or more potential vulnerabilities may be generated.” (Par. (0037) “The signature generator 224 may use the collected metadata in one or more of a variety of ways so as to generate a unique signature associated with the vulnerability”) (Par. (0038) “Correlating the generated signature with previously stored signatures may include comparing the signatures with one another to determine whether they are identical or are substantially similar to one another.”; new signature is compared to the signature in the database)
extracting metadata with respect to the control flow path on which the further security vulnerability occurred; (Par. (0036) “The metadata collector 223 may collect various information about one or more nodes associated with a detected vulnerability”; data collected on nodes on a control flow path when identified with vulnerability.)
and when the new signature is found to match the signature of a given record in the database, comparing the extracted metadata to the metadata field in the given record in order to classify the further security vulnerability as a recurrent or new security vulnerability. (Figure 5 label 504 Par. (0059) “For example, each generated signature may be compared to all of the previously stored signatures. If the generated signature is identical to or substantially similar to at least one of the previously stored signatures, then it may be determined that the generated signature matches the previously stored signatures. If there is not a match, then processing continues to operation 506, 
Given the teachings as a whole it is rationale to combine the references of Williams and Sheridan because of the analogous field of invention in regards to Vulnerability testing within a software application. Sheridan contributes and describes the use of signatures to match and compare vulnerabilities detected that are new or recurring. This allows a more efficient method of protecting software applications from potential vulnerabilities as well as creating system to define detect and analyze various vulnerabilities. By having signatures correlating to the location and path the vulnerabilities has taken place it becomes it provides accountability and a system of checks to match which recurrent , new or resolved vulnerability has taken place. Thus leads to faster and more efficient solutions on executed programs. Also by extracting the metadata with information containing where and in what path the vulnerability occurred it provides clarity and notifies the software developer about new or recurring developments in the vulnerability to allow faster more efficient response times and solution.
The motivation to combine these references is because Williams and Sheridan provide a secure and trusted method for software developers to strengthen and combat various vulnerability attacks on their systems. By matching the database records with the signature that correlates to where the vulnerability was found this allows the fast and thorough process of vulnerability .  



Claims 6, 16, and 24  is/are rejected under 35 U.S.C. 103 as being unpatentable over Williams U.S Pub. No. 20140165204 and Sheridan U.S Pub. No. 20140283081 in further view of Bach U.S Pub. No. 20160078231.

In regards to Claim 6, Williams and Sheridan do not teach the method according to claim 1, and comprising, after completing the subsequent execution of the program without having traversed the respective control flow path of a given security vulnerability that is recorded in the database, indicating to the developer of the program that a state of the given security vulnerability is unknown due to insufficient coverage.
Wherein Bach teaches  the method according to claim 1, and comprising, after completing the subsequent execution of the program without having traversed the respective control flow path of a given security vulnerability that is recorded in the database, indicating to the developer of the program that a state of the given security vulnerability is unknown due to insufficient coverage. (Par. (0088) “Version V1 of the 
Given the teachings as a whole it is necessary to combine the teachings of Williams and Sheridan with the teachings of Bach because of the analogous concept of vulnerability detection, Bach teaches the concept that when you execute a vulnerability detection system and receive inconclusive results it is due to the fact that there is insufficient coverage and that multiple vulnerabilities could still be detected. It is rationale to combine because this alerts the developer that even though multiple tests are executed in the program unknown, undetected or unexamined vulnerabilities may occur, this notifies the software developers and provides them an efficient way to access monitor and manage the vulnerability detection system to allow them to modify the execution and provide a solution for the software over its life cycle.
There is a motivation to combine these references is because it allows the software developers to periodically monitor and be alerted by the vulnerability detection system to provide reasonable and efficient solutions when there is a 

In regards to Claim 16 and 24, in a combination with Williams, Sheridan and Bach, Williams, Sheridan and Bach discuss all the limitations in Claim 6 and thereby rejected on the same grounds.

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Brian Chess (US Pub 20050273859) “Apparatus And Method For Testing Secure Software” I chose to review this reference because it is discussed a software program with instructions to analyze program instructions for security vulnerabilities. Executable instructions identify potential security vulnerabilities within program instructions based upon input from an attack database and information derived during a static analysis of the program instructions.
Maty Simon (US Pub 20100083240) “LOCATING SECURITY VULNERABILITIES IN SOURCE CODE” I chose to review this reference 
Alexander Roichman (US Pub. 20170270303) “Integrated Interactive Application Security Testing” I chose to review this reference because it deals with a method for testing a software application program and tests that are applied to the program in order to detect security vulnerabilities in the program.



Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN A HUSSEIN whose telephone number is (571)272-3554.  The examiner can normally be reached on 7:30am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for 

/HASSAN A HUSSEIN/ 
Examiner, Art Unit 2497


/ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497