DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

In view of the Appeal Brief filed on 01/15/2021, PROSECUTION IS HEREBY REOPENED. New grounds of rejections are set forth below.
To avoid abandonment of the application, appellant must exercise one of the following two options:
(1) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply under 37 CFR 1.113 (if this Office action is final); or,
(2) initiate a new appeal by filing a notice of appeal under 37 CFR 41.31 followed by an appeal brief under 37 CFR 41.37. The previously paid notice of appeal fee and appeal brief fee can be applied to the new appeal. If, however, the appeal fees set forth in 37 CFR 41.20 have been increased since they were previously paid, then appellant must pay the difference between the increased fees and the amount previously paid.
A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by signing below:
/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433                                                                                                                                                                                                        



Response to Amendments
This communication is in response to the amendments filed on 24 July 2020:
	Claim 17 is amended.
	Claims 1-20 are pending.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.



Claims 1-5, 8-15 and 17-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by STEVEN et al. (U.S. PGPub. 2017/0329582), hereinafter Steven. 

	Regarding claim 1, Steven teaches A method comprising:
	identifying open source components used in a software project (Steven, Paragraph [0055], see “Many software applications are complex and difficult to analyze. For instance, an application may include hundreds of modules and millions of lines of code, and may make use of external components (e.g., frameworks, libraries, middleware, etc.) that may or may not be open sourced. The inventors have recognized and appreciated that it may be beneficial to provide techniques for abstracting a software application in a manner that focuses on one or more properties of interest, and that it may also be beneficial to provide techniques for abstracting a framework or library”) (Steven, Paragraph [0066], see “The resulting model may then be evaluated, and/or be used to identify relevant portions of the program code that should be evaluated, using one or more property queries relating to the issue(s) of interest”, where “issue(s) of interest” are pertaining to the open source components used in a software project);
	for each identified open source component,
		generating a graph database query that indicates an identifier of the open source component and indicates a version of the open source component (Steven, Claim 1, see ;
		submitting the graph database query to a graph database of open source component vulnerabilities (Steven, Claim 1, see “formulating, by the one or more processing devices, a graph-based request query…submitting, by the one or more processing devices, the request query to a knowledge base; and receiving, by the one or more processing devices, a graph-based responsive query based on the guidance property and generated by manipulating the request query, from the knowledge base in response to the request query”) (Steven, Paragraph [0299], see “the guidance engine 2705 may, in some embodiments, be programmed to submit questions to the knowledge base 2710, and the knowledge base 2710 may be programmed to provide answers to the guidance engine 2. For instance, the guidance engine 2705 may submit a query such as, “how to fix the vulnerability Y if version 1.0 of the framework X is used?” The knowledge base 2710 may return an answer such as, “update to version 1.1 of the framework X.””); and
	generating a vulnerability report for the software project with results from the submitted graph database queries (Steven, FIG. 28 and Paragraph [0297], see “FIG. 28 shows an illustrative .

	Regarding claim 2, Steven teaches The method of claim 1 further comprising generating a call graph for the software project, wherein identifying the open source components comprises traversing the call graph (Steven, Paragraph [0103], see “the analysis engine may first apply one or more discovery queries to extract relevant information from the AST constructed at act 605, thereby constructing a reduced AST…Any suitable method may be used to traverse an AST…AST nodes may be visited based on control flow, and relationships between the AST nodes may be examined to check a query”) (Steven, Paragraph [0256], see “a call graph may be used to capture function call relationships, whereas a data flow graph may be used to capture data dependence information”).

	Regarding claim 3, Steven teaches The method of claim 2, wherein identifying the open source component comprises determining for each vertex in the call graph whether open source attribution information exists in the software project (Steven, Paragraph [0295], see “the knowledge base 2710 may include a knowledge graph having one or more nodes and/or one or more edges…Each edge may represent a relationship between a source node and a target node, where the target node may be different from, or the same as, the source node”) (Steven, Paragraph [0297], see “the knowledge graph 2800 includes two nodes, 2805 and 2810. The node 2805 may represent a software development 

	Regarding claim 4, Steven teaches The method of claim 1 further comprising generating a dependency graph indicating dependencies of code units in the software project upon each identified open source component (Steven, Paragraph [0165], see “a property query may program an analysis engine to detect “fail fast” comparisons…the property query 1055 may be written using a data flow operator USE, which may cause the analysis engine to search for a function declaration that has two byte arrays as arguments ($a and $b) and includes a for loop with an if statement in the body of the for loop, where the condition ($1) of the if statement depends on both of the byte array arguments ($1 USE $a AND $2 USE $b). Thus, the property query 1055 may cause the analysis engine to perform a combination of syntactic matching and data flow analysis to detect a “fail fast” comparison”, where the “fail fast” comparison indicates dependencies of code units in the software project(s)) (Steven, Paragraph [0256], see “a call graph may be sued to capture function call relationships, whereas a data flow graph may be used to capture data dependence information (e.g., how a tainted value is propagated)”, where “data flow graph” is being read as the generated dependency graph indicating dependencies of code units in the software project(s)).

	Regarding claim 5, Steven teaches The method of claim 4, wherein generating the vulnerability report comprises correlating each vulnerability indicated in the results with code units of the software project based on the dependency graph (Steven, Paragraph [0086], see “Any suitable combination of one or more property checking techniques may be used, including, but not limited to, data flow analysis, control flow analysis, and/or model checking. The property checking component 340 may then output one or more results, which may include a finding indicating an identified problem 

	Regarding claim 8, Steven teaches The method of claim 1, wherein an open source component is an open source library (Steven, Paragraph [0055], see “an application may include hundreds of modules and millions of lines of code, and may make use of external components (e.g., frameworks, libraries, middleware, etc.) that may or may not be open sourced. The inventors have recognized and appreciated that it may be beneficial to provide techniques for abstracting a software application in a manner that focuses on one or more properties of interest, and that it may also be beneficial to provide techniques for abstracting a framework or library”).

	Regarding claim 9, Steven teaches The method of claim 1, wherein generating the graph database query comprises generating the graph database query according to a schema of the graph database that indicates a graph structure comprising a first vertex to represent a vulnerability source, a second vertex to represent a vulnerability, a third vertex to indicate a software component version or version range, a plurality of vertices to represent different types of software components, and edges among the vertices to indicate types of relationships among the vertices (Steven, FIG. 28, see “2805” which is being read as a first vertex to represent a vulnerability source, see “2815” which indicates a second vertex to represent a vulnerability, see “2805” which is being read as a third vertex to indicate a software component version or version range, see “2805” and “2810” which show a plurality of vertices that represent different types of software components and see “2815” which shows edges among the vertices to indicate types of relationships among the vertices) (Steven, Paragraph [0297], see “FIG. 28 shows an illustrative knowledge graph 2800, in accordance with some embodiments…the knowledge graph 2800 includes two nodes, 2805 and 2810. The node 2805 may represent a software development framework (e.g., version 1.0 of a framework X), and the node 2810 may represent another software development framework (e.g., version 1.1 of the framework X). The knowledge graph 2800 may further include an edge 2815 from the node 2805 to the node 2810. The edge 2815 may represent a “Replace” relationship…the edge 2815 may indicate that if a certain pattern (e.g., a vulnerability Y) is identified, then the framework represented by the node 2805 (e.g., version 1.0 of the framework X) should be replaced by the framework represented by the node 2810 (e.g., version 1.1 of the framework X).

	Regarding claim 10, Steven teaches A non-transitory, computer-readable medium having instructions stored thereon that are executable by a computing device to perform operations comprising (Steven, Paragraph [0369], see “the computer 1000 includes a processing unit 1001 having one or more processors and a non-transitory computer-readable storage medium 1002 that may include, for example, volatile and/or non-volatile memory. The memory 1002 may store one or more instructions to program the processing unit 1001 to perform any of the functions described herein”):
	identifying a set of one or more open source libraries used in a software project (Steven, Paragraph [0055], see “Many software applications are complex and difficult to analyze. For instance, an application may include hundreds of modules and millions of lines of code, and may make use of external components (e.g., frameworks, libraries, middleware, etc.) that may or may not be open sourced. The inventors have recognized and appreciated that it may be beneficial to provide techniques for abstracting a software application in a manner that focuses on one or more properties of interest, and that it may also be beneficial to provide techniques for abstracting a framework or library”) (Steven, Paragraph [0066], see “The resulting model may then be evaluated, and/or be used to identify relevant portions of the program code that should be evaluated, using one or more property queries relating to the issue(s) of interest”, where “issue(s) of interest” are pertaining to the open source components used in a software project);
	for each of the set of open source libraries,
		generating a graph database query that indicates an identifier of the open source library and that indicates a version of the open source library (Steven, Claim 1, see “formulating, by one or more processing devices, a graph-based request query indicating a relationship between a plurality of properties of a software application, wherein the request query requests guidance with respect to a guidance property of the plurality of properties”, where “a graph-based request query indicating a relationship between a plurality of properties of a software application” is being read as at least including an identifier of the open source component) (Steven, Paragraph [0297], see “the knowledge graph 2800 includes two nodes, 2805 and 2810. The node 2805 may represent a software development framework (e.g., version 1.0 of a framework X), and the node 2810 may represent another software development framework (e.g., version 1.1 of the framework X)”, where the generating database query does include an indication of an identifier and a version of the software) (Steven, Paragraph [0299], see “the guidance engine 2705 may, in some embodiments, be programmed to submit questions to the knowledge base 2710, and the knowledge base 2710 may be programmed to provide answers to the guidance engine 2. For instance, the guidance engine 2705 may submit a query such as, “how to fix the vulnerability Y if version 1.0 of the framework X is used?” The knowledge base 2710 may return an answer such as, “update to version 1.1 of the framework X.””, where the graph database queries indicate a version of the open source component);
		submitting the graph database query to a graph database of open source vulnerabilities (Steven, Claim 1, see “formulating, by the one or more processing devices, a graph-based request query…submitting, by the one or more processing devices, the request query to a knowledge base; and receiving, by the one or more processing devices, a graph-based responsive query based on the guidance property and generated by manipulating the request query, from the knowledge base in response to the request query”) (Steven, Paragraph [0299], see “the guidance engine 2705 may, in some embodiments, be programmed to submit questions to the knowledge base 2710, and the knowledge base 2710 may be programmed to provide answers to the guidance engine 2. For instance, the guidance engine 2705 may submit a query such as, “how to fix the vulnerability Y if version 1.0 of the framework X is used?” The knowledge base 2710 may return an answer such as, “update to version 1.1 of the framework X.””); and
	generating a vulnerability report for the software project with results from the submitted graph database queries (Steven, FIG. 28 and Paragraph [0297], see “FIG. 28 shows an illustrative knowledge graph 2800, in accordance with some embodiments…”, where the “knowledge graph 2800” is representing a vulnerability report for the software project with results from the submitted graph database queries that indicates how to deal with a potential vulnerability) (Steven, Abstract, see “The responsive query informs a user of the guidance engine how to address a vulnerability within the software application by performing a transform with respect to a property of the software application”) (Steven, Paragraph [0086], see “Any suitable combination of one or more property checking techniques may be used, including, but not limited to, data flow analysis, control flow analysis, and/or model checking. The property checking component 340 may then output one or more results, which may include a finding indicating an identified problem (e.g., a security vulnerability), a suggested modification to the input program code to fix an identified problem, an indication that the property checking component 340 is unable to reach a conclusion with respect to a certain property, and/or any other observation of interest”).

	Regarding claim 11, Steven teaches The non-transitory, computer-readable medium of claim 10, wherein the operations further comprise generating a call graph for the software project, wherein identifying the set of one or more open source libraries comprises traversing the call graph (Steven, Paragraph [0103], see “the analysis engine may first apply one or more discovery queries to extract relevant information from the AST constructed at act 605, thereby constructing a reduced AST…Any suitable method may be used to traverse an AST…AST nodes may be visited based on control flow, and relationships between the AST nodes may be examined to check a query”) (Steven, Paragraph [0256], see “a call graph may be used to capture function call relationships, whereas a data flow graph may be used to capture data dependence information”).

	Regarding claim 12, Steven teaches The non-transitory, computer-readable medium of claim 11, wherein identifying the set of one or more open source libraries comprises determining open source attribution information based on traversing the call graph (Steven, Paragraph [0295], see “the knowledge base 2710 may include a knowledge graph having one or more nodes and/or one or more edges…Each edge may represent a relationship between a source node and a target node, where the target node may be different from, or the same as, the source node”) (Steven, Paragraph [0297], see “the knowledge graph 2800 includes two nodes, 2805 and 2810. The node 2805 may represent a software development framework (e.g., version 1.0 of a framework X), and the node 2810 may represent another software development framework (e.g., version 1.1 of the framework X). The knowledge graph 2800 may further include an edge 2815 from the node 2805 to the node 2810. The edge 2815 may represent a “Replace” relationship…the edge 2815 may indicate that if a certain pattern (e.g., a vulnerability Y) is identified, then the framework represented by the node 2805 (e.g., version 1.0 of the framework X) should be replaced by the framework represented by the node 2810 (e.g., version 1.1 of the framework X).

	Regarding claim 13, Steven teaches The non-transitory, computer-readable medium of claim 10, wherein the operations further comprise determining dependencies upon the set of one or more open source libraries (Steven, Paragraph [0165], see “a property query may program an analysis engine to detect “fail fast” comparisons…the property query 1055 may be written using a data flow operator USE, which may cause the analysis engine to search for a function declaration that has two byte arrays as arguments ($a and $b) and includes a for loop with an if statement in the body of the for loop, where the condition ($1) of the if statement depends on both of the byte array arguments ($1 USE $a AND $2 USE $b). Thus, the property query 1055 may cause the analysis engine to perform a combination of syntactic matching and data flow analysis to detect a “fail fast” comparison”, where the “fail fast” comparison indicates dependencies of code units in the software project(s)) (Steven, Paragraph [0256], see “a call graph may be sued to capture function call relationships, whereas a data flow graph may be used to capture data dependence information (e.g., how a tainted value is propagated)”, where “data flow graph” is being read as the generated dependency graph indicating dependencies of code units in the software project(s)).

	Regarding claim 14, Steven teaches The non-transitory, computer-readable medium of claim 13, wherein generating the vulnerability report comprises correlating each vulnerability indicated in the results with code units of the software project based on the dependencies (Steven, Paragraph [0086], see “Any suitable combination of one or more property checking techniques may be used, including, but not limited to, data flow analysis, control flow analysis, and/or model checking. The property checking component 340 may then output one or more results, which may include a finding indicating an identified problem (e.g., a security vulnerability), a suggested modification to the input program code to fix an identified problem, an indication that the property checking component 340 is unable to reach a conclusion with respect to a certain property, and/or any other observation of interest”, where “data flow analysis” is being read as comprising the generated dependency graph, which is used as a technique for generating the vulnerability report).

	 Regarding claim 15, Steven teaches The non-transitory, computer-readable medium of claim 14, wherein generating the vulnerability report also comprises determining an impact of each identified vulnerability and indicating the impact in the vulnerability report (Steven, Paragraph [0308], see “the impact worker 2915 may be programmed to analyze a proposed code transformation and identify potential impact and/or mitigation strategy…The impact worker 2915 may then add the identified impact and/or mitigation strategy to the information repository 2715”).

	Regarding claim 17, Steven teaches An apparatus comprising:
	a processor (Steven, Paragraph [0369], see “the computer 1000 includes a processing unit 1001…”); and
	a non-transitory, machine-readable medium having a program code stored therein, the program code executable by the processor to cause the apparatus to (Steven, Paragraph [0369], see “The memory 1002 may store one or more instructions to program the processing unit 1001 to perform any of the functions described herein”),
	scan a software project to identify each open source component used in the software project and dependencies upon each open source component (Steven, Paragraph [0055], see “Many software applications are complex and difficult to analyze. For instance, an application may include hundreds of modules and millions of lines of code, and may make use of external components (e.g., frameworks, libraries, middleware, etc.) that may or may not be open sourced. The inventors have recognized and appreciated that it may be beneficial to provide techniques for abstracting a software application in a manner that focuses on one or more properties of interest, and that it may also be beneficial to provide techniques for abstracting a framework or library”) (Steven, Paragraph [0066], see “The resulting model may then be evaluated, and/or be used to identify relevant portions of the program code that should be evaluated, using one or more property queries relating to the issue(s) of interest”, where “issue(s) of interest” are pertaining to the open source components used in a software project) (Steven, Paragraph [0119], see “these constructs may allow different types of analyses (e.g., static scanning, data flow analysis, fuzzing, dynamic scanning, etc.) to be specified using the same query language…”) (Steven, Paragraph [0165], see “a property query may program an analysis engine to detect “fail fast” comparisons…the property query 1055 may be written using a data flow operator USE, which may cause the analysis engine to search for a function declaration that has two byte arrays as arguments ($a and $b) and includes a for loop with an if statement in the body of the for loop, where the condition ($1) of the if statement depends on both of the byte array arguments ($1 USE $a AND $2 USE $b). Thus, the property query 1055 may cause the analysis engine to perform a combination of syntactic matching and data flow analysis to detect a “fail fast” comparison”, where the “fail fast” comparison indicates dependencies of code units in the software project(s)) (Steven, Paragraph [0256], see “a call graph may be sued to capture function call relationships, whereas a data flow graph may be used to capture data dependence information (e.g., how a tainted value is propagated)”, where “data flow graph” is being read as the generated dependency graph indicating dependencies of code units in the software project(s));
	for each open source component identified,
		generate a graph database query that indicates an identifier of the open source component (Steven, Claim 1, see “formulating, by one or more processing devices, a graph-based request query indicating a relationship between a plurality of properties of a software application, wherein the request query requests guidance with respect to a guidance property of the plurality of properties”, where “a graph-based request query indicating a relationship between a plurality of properties of a software application” is being read as at least including an identifier of the open source component) (Steven, Paragraph [0297], see “the knowledge graph 2800 includes two nodes, 2805 and 2810. The node 2805 may represent a software development framework (e.g., version 1.0 of a framework X), and the node 2810 may represent another software development framework (e.g., version 1.1 of the framework X)”, where the generating database query does include an indication of an identifier and a version of the software);
		submit the graph database query to begin traversal of a subgraph of a graph database of open source vulnerabilities from a vertex that indicates the identifier of the open source component (Steven, Claim 1, see “formulating, by the one or more processing devices, a graph-based request query…submitting, by the one or more processing devices, the request query to a knowledge base; and receiving, by the one or more processing devices, a graph-based responsive query based on the guidance property and generated by manipulating the request query, from the knowledge base in response to the request query”) (Steven, Paragraph [0103], see “the analysis engine may first apply one or more discovery queries to extract relevant information from the AST constructed at act 605, thereby constructing a reduced AST…Any suitable method may be used to traverse an AST…AST nodes may be visited based on control flow, and relationships between the AST nodes may be examined to check a query”) (Steven, Paragraph [0256], see “a call graph may be used to capture function call relationships, whereas a data flow graph may be used to capture data dependence information”). (Steven, Paragraph [0299], see “the guidance engine 2705 may, in some embodiments, be programmed to submit questions to the knowledge base 2710, and the knowledge base 2710 may be programmed to provide answers to the guidance engine 2. For instance, the guidance engine 2705 may submit a query such as, “how to fix the vulnerability Y if version 1.0 of the framework X is used?” The knowledge base 2710 may return an answer such as, “update to version 1.1 of the framework X.””); and
	generate vulnerability information with results from the submitted graph database queries (Steven, FIG. 28 and Paragraph [0297], see “FIG. 28 shows an illustrative knowledge graph 2800, in accordance with some embodiments…”, where the “knowledge graph 2800” is representing a vulnerability report for the software project with results from the submitted graph database queries that indicates how to deal with a potential vulnerability) (Steven, Abstract, see “The responsive query informs a user of the guidance engine how to address a vulnerability within the software application by performing a transform with respect to a property of the software application”) (Steven, Paragraph [0086], see “Any suitable combination of one or more property checking techniques may be used, including, but not limited to, data flow analysis, control flow analysis, and/or model checking. The property checking component 340 may then output one or more results, which may include a finding indicating an identified problem (e.g., a security vulnerability), a suggested modification to the input program code to fix an identified problem, an indication that the property checking component 340 is unable to reach a conclusion with respect to a certain property, and/or any other observation of interest”).

	Regarding claim 18, Steven teaches The apparatus of claim 17, wherein the program code to generate the graph database query comprises program code to generate the graph database query to also indicate a version of the open source component (Steven, Paragraph [0297], see “the knowledge graph 2800 includes two nodes, 2805 and 2810. The node 2805 may represent a software development framework (e.g., version 1.0 of a framework X), and the node 2810 may represent another software development framework (e.g., version 1.1 of the framework X)”, where the generating database query does include an indication of an identifier and a version of the software) (Steven, Paragraph [0299], see “the guidance engine 2705 may, in some embodiments, be programmed to submit questions to the knowledge base 2710, and the knowledge base 2710 may be programmed to provide answers to the guidance engine 2. For instance, the guidance engine 2705 may submit a query such as, “how to fix the vulnerability Y if version 1.0 of the framework X is used?” The knowledge base 2710 may return an answer such as, “update to version 1.1 of the framework X.””, where the graph database queries indicate a version of the open source component).

	Regarding claim 19, Steven teaches The apparatus of claim 17, wherein the program code to generate the vulnerability information comprises program code to indicate correspondence between code units of the software project and vulnerability descriptions from the results based on the dependencies (Steven, Paragraph [0086], see “Any suitable combination of one or more property checking techniques may be used, including, but not limited to, data flow analysis, control flow analysis, and/or model checking. The property checking component 340 may then output one or more results, which may include a finding indicating an identified problem (e.g., a security vulnerability), a suggested modification to the input program code to fix an identified problem, an indication that the property checking component 340 is unable to reach a conclusion with respect to a certain property, and/or any other observation of interest”, where “data flow analysis” is being read as comprising the generated dependency graph, which is used as a technique for generating the vulnerability report). 

	Regarding claim 20, Steven teaches The apparatus of claim 17, wherein the program code to generate the graph database query comprises program code to generate the graph database query in accordance with a graph database schema that includes vertices at least representing different types of software components, a vulnerability, and a vulnerability source and that includes edges representing different types of relationship among vertices (Steven, FIG. 28, see “2805” which is being read as a first vertex to represent a vulnerability source, see “2815” which indicates a second vertex to represent a vulnerability, see “2805” which is being read as a third vertex to indicate a software component version or version range, see “2805” and “2810” which show a plurality of vertices that represent different types of software components and see “2815” which shows edges among the vertices to indicate types of relationships among the vertices) (Steven, Paragraph [0297], see “FIG. 28 shows an illustrative knowledge graph 2800, in accordance with some embodiments…the knowledge graph 2800 includes two nodes, 2805 and 2810. The node 2805 may represent a software development framework (e.g., version 1.0 of a framework X), and the node 2810 may represent another software development framework (e.g., version 1.1 of the framework X). The knowledge graph 2800 may further include an edge 2815 from the node 2805 to the node 2810. The edge 2815 may represent a “Replace” relationship…the edge 2815 may indicate that if a certain pattern (e.g., a vulnerability Y) is identified, then the framework represented by the node 2805 (e.g., version 1.0 of the framework X) should be replaced by the framework represented by the node 2810 (e.g., version 1.1 of the framework X).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Steven, in view of Nickolov et al. (U.S. PGPub. 2017/0034023), hereinafter Nickolov. 

	Regarding claim 6, Steven teaches The method of claim 5, wherein generating the vulnerability report also comprises determining an impact of each identified vulnerability and indicating the impact in the vulnerability report, (Steven, Paragraph [0308], see “the impact worker 2915 may be programmed to analyze a proposed code transformation and identify potential impact and/or mitigation strategy…The impact worker 2915 may then add the identified impact and/or mitigation strategy to the information repository 2715”).
	Steven does not teach the following limitation(s) as taught by Nickolov: The method of claim 5, wherein generating the vulnerability report also comprises determining an impact of each identified vulnerability and indicating the impact in the vulnerability report, wherein determining the impact of each identified vulnerability comprises determining frequency of use of the open source component corresponding to the identified vulnerability and number of different code units of the software project that use the open source component corresponding to the identified vulnerability.
	(Nickolov, Paragraphs [0415 – 0422], see “In at least one embodiment the DGRI Score is calculated for a configuration based on: The current number of servers using this configuration. The total number of servers which have used this configuration historically…The number and CVSS severity score of vulnerabilities affecting this configuration…Use of vulnerability or reliability data from alternate sources such as websites which include user reports of vulnerability, compatibility or reliability issues in software packages or combinations of software packages, github issue tracking, etc.”, where “The current number of servers using this configuration” and “The total number of servers which have used this configuration historically” is analogous to determining the frequency of use of the open source component corresponding to the identified vulnerability and the number of different code units of the software project that use the open source component corresponding to the identified vulnerability, and where “Use of vulnerability or reliability data from alternate sources such as websites which include user reports of vulnerability issues in software packages” is also analogous to a number of different code units of the software project that use the open source component corresponding to the identified vulnerability).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for model-based analysis of software, disclosed of Steven, by implementing techniques for evaluating server system reliability, vulnerability and component compatibility, comprising of the vulnerability report including a frequency of use of the open source component corresponding to the identified vulnerability, as well as, a  number of different code units of the software project that use the open source component corresponding to the identified vulnerability, disclosed of Nickolov. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for open-source software vulnerability analysis, comprising of the vulnerability report including a frequency of use of the open source component corresponding to the identified vulnerability, as well as, a number of different code units of the software project that use the open source component corresponding to the identified vulnerability. Utilizing this information allows for better security management, as well as overall efficiency in overcoming the indicated vulnerabilities associated with the open source component. It also allows for a more user-friendly indication of whether or not the reported vulnerability is a small, medium or huge threat to the user based on the frequency of use and number of different code units that use the open source component (Nickolov, Paragraphs [0415 – 0422]). 

	Regarding claim 16, Steven does not teach the following limitation(s) as taught by Nickolov: The non-transitory, computer-readable medium of claim 15, wherein determining the impact of each identified vulnerability comprises determining at least one of frequency of use of the open source library corresponding to the identified vulnerability and number of different code units of the software project that use the open source library corresponding to the identified vulnerability. 
	(Nickolov, Paragraphs [0415 – 0422], see “In at least one embodiment the DGRI Score is calculated for a configuration based on: The current number of servers using this configuration. The total number of servers which have used this configuration historically…The number and CVSS severity score of vulnerabilities affecting this configuration…Use of vulnerability or reliability data from alternate sources such as websites which include user reports of vulnerability, compatibility or reliability issues in software packages or combinations of software packages, github issue tracking, etc.”, where “The current number of servers using this configuration” and “The total number of servers which have used this configuration historically” is analogous to determining the frequency of use of the open source component corresponding to the identified vulnerability and the number of different code units of the software project that use the open source component corresponding to the identified vulnerability, and where “Use of vulnerability or reliability data from alternate sources such as websites which include user reports of vulnerability issues in software packages” is also analogous to a number of different code units of the software project that use the open source component corresponding to the identified vulnerability).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for model-based analysis of software, disclosed of Steven, by implementing techniques for evaluating server system reliability, vulnerability and component compatibility, comprising of the vulnerability report including a frequency of use of the open source component corresponding to the identified vulnerability, as well as, a  number of different code units of the software project that use the open source component corresponding to the identified vulnerability, disclosed of Nickolov. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for open-source software vulnerability analysis, comprising of the vulnerability report including a frequency of use of the open source component corresponding to the identified vulnerability, as well as, a number of different code units of the software project that use the open source component corresponding to the identified vulnerability. Utilizing this information allows for better security management, as well as overall efficiency in overcoming the indicated vulnerabilities associated with the open source component. It also allows for a more user-friendly indication of whether or not the reported vulnerability is a small, medium or huge threat to the user based on the frequency of use and number of different code units that use the open source component (Nickolov, Paragraphs [0415 – 0422]). 

	
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Steven, in view of Paraschivescu (U.S. PGPub. 2015/0379061), hereinafter Paraschivescu. 

	Regarding claim 7, Steven does not teach the following limitation(s) as taught by Paraschivescu: The method of claim 1 further comprising distinguishing between code units with direct dependencies upon an open source component corresponding to a vulnerability indicated in the results and code units with indirect dependencies upon an open source component corresponding to a vulnerability indicated in the results.
	(Paraschivescu, Paragraph [0031], see “For data to be functional it often needs corresponding code, which in turn may specify a platform (operating system, libraries, or other software). These dependencies should also be tracked”) (Paraschivescu, Paragraph [0077], see “Resources can be either direct, as in the above case, or indirect i.e. resources of resources. For example, a resource of a bulb could be its manufacturer, which would become an indirect resource of the inventory. QEI tracks of direct resources using the concept of dependency (Section 3.3), and infers indirect ones”, where “QEI” distinguishes between code units with direct dependencies and code units with indirect dependencies). 
 Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for model-based analysis of software, disclosed of Steven, by implementing techniques for managing changes to information, comprising distinguishing between code units with direct dependencies and code units with indirect dependencies corresponding to a vulnerability indicated in the results, disclosed of Paraschivescu.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for open-source software vulnerability analysis, comprising distinguishing between code units with direct dependencies and code units with indirect dependencies corresponding to a vulnerability indicated in the results. This allows for better security management in the system, as well as overall effectiveness in overcoming the indicating vulnerability. This distinguishment helps pin the source of the vulnerability in terms of whether the vulnerability of the open source component lies within the library, API, or software component that is references directly by the program itself or whether the vulnerability lies within an indirect dependency (Paraschivescu, Paragraph [0031]). 



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODMAN ALEXANDER MAHMOUDI whose telephone number is (571)272-8747.  The examiner can normally be reached on M-F 11:00am – 7:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/RODMAN ALEXANDER MAHMOUDI/Examiner, Art Unit 2433                             

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433