DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-4, 16 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Hong (US PGPUB 2011/0264961; hereinafter “Hong”) in view of Guarnieri et al. (US PGPUB 2014/0258992; hereinafter “Guarnieri”), in view of Pistoia et al. (US PGPUB 2009/0300266; hereinafter “Pistoia”) and in view of Wang et al. (US PGPUB 2016/0373462; hereinafter “Wang”).
Claim 1: (Currently Amended)
Hong discloses a method of statically verifying source code, the method comprising: 
identifying an invocation statement in the source code for using a service that is provided by an entity outside of the source code ([0025] “The example communication interface 208 is to receive information. (e.g., identifying a particular … API call) from the user interface 104 and to transfer the information to the access module 212.” [0042] “At 

With further regard to claim 1, Hong does not teach the following, however, Guarnieri teaches:
identifying data flow of string variables in the source code that lead to the identified invocation statement ([0022] “FIGS. 3A and 3B, a logic flow diagram is shown for performing static analysis including scalable and precise string analysis using index-sensitive static string abstractions.” [0024] “the static analysis in block 310 may include generating one or more representations (such as models) of the program P, in order to represent how the program may operate during execution (the program P is not, however, actually executed during static analysis). One typical representation is a flow graph, which is a representation, using graph notation, of all paths that might be traversed through a program during its execution.” [0025] “In block 320, the computing system identifies seeds for string variables by applying S2 to P. In an exemplary security analysis, the seeds are strings defined for (e.g., particular, identified) string variables by the seeding specification S2 as an input 315.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method as disclosed by Hong with the data flow identification as taught by Guarnieri in order “To provide a scalable form of string analysis” (Guarnieri [0015]).


assembling one or more usage strings that can be formed at the invocation statement based on the identified data flow of string variables ([0036] “While analyzing the source code of an SQL database application, static analysis engine 100 discovers an SQL API executing the following query: ‘SELECT’ + col_name + ’FROM’ + table_name + ’;’ which engine 100 passes to LCAV 104 for resolution and logging.”);
assigning a placeholder string to represent a string variable in the identified data flow that is not assigned a literal value by the source code before run time ([0036] “Although LCAV 104 is able to identify the access as a read access, since LCAV 104 cannot determine the scope of the access without further information on col_name and table_name, it invokes string analyzer 106 to refine the access by resolving these two variables. String analyzer 106 resolves col_name into [Name|ID|Surname] and table_name into [Persons|Employees] (i.e., Name, ID and Surname are the values col_name may assume, and Persons and Employees are the potential values table_name may assume),” wherein Pistoia shows a plurality of “usage strings” in the table below Paragraph [0036], i.e. “SELECT Name FROM Persons”.)
and cannot be resolved statically ([0032] “If the access information passed to LCAV 104 cannot be sufficiently resolved to determine the type and scope of the access, such as where LCAV 104 receives an SQL query that does not indicate the name of the database being accessed, but rather includes a variable that contains the name of the database being accessed, LCAV 104 preferably invokes a string analyzer 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method as disclosed by Hong in view of Guarnieri with the assembling of usage strings and assigning a placeholder string as taught by Pistoia since “Being able to accurately identify such read/write chains would represent a significant improvement to the field of static analysis” (Pistoia [0007]).

With further regard to claim 1, Hong in view of Guarnieri and Pistoia does not teach the following, however, Wang teaches:
constructing an endpoint specification string based on a specification that describes permissible strings ([0030] “Two basic manners to specify URLs for segments are: SegmentList and SegmentTemplate … the latter provides a template-based URL construction mechanism which allows specification of a template containing specific identifiers that are substituted by dynamic values assigned to segments, to represent a list of segments.”); and 
checking each assembled usage string based on the constructed endpoint specification string by way of a comparison of each assembled usage string with the constructed endpoint specification string ([0010] “validating that a requested resource is in an allowed set by matching the URL received against a URL template in the signing information,” wherein the “URL received” is the “assembled string” as taught above in Pistoia. [0066] “the segment URL templates may be used as a checking algorithm.” 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method as disclosed by Hong in view of Guarnieri and Pistoia with the constructing and checking operations related to endpoints as taught by Wang in order “to verify that a URL is constructed by a segment URL template” (Wang [0066]).

Claim 3: 
Hong in view of Guarnieri, Pistoia and Wang discloses the method of claim 1, and Pistoia further teaches wherein checking each assembled usage string comprises, for each assembled usage string treating each placeholder string as a wildcard when comparing the assembled usage string with permissible strings described by the specification ([0036] “Although LCAV 104 is able to identify the access as a read access, since LCAV 104 cannot determine the scope of the access without further information on col_name and table_name, it invokes string analyzer 106 to refine the access by resolving these two variables. String analyzer 106 resolves col_name into [Name|ID|Surname] and table_name into [Persons|Employees] (i.e., Name, ID and Surname are the values col_name may assume, and Persons and Employees are the potential values table_name may assume),” wherein “[Name|ID|Surname]” and “[Persons|Employees]” are the “wildcards”.).

Claim 4:
Hong in view of Guarnieri, Pistoia and Wang discloses the method of claim 1, and Hong further teaches the invocation statement is for using a web Application Programming Interface (web API) to invoke a web-based service ([0042] “At block 502, the example method 500 may include receiving an API call to access one or more web services.”). 

Claim 16: (Currently Amended)
Hong discloses a computing device comprising: 
a set of one or more processing units (Fig. 9: Processor 902); 
a storage device storing a set of instructions, wherein an execution of the set of instructions by the set of processing units configures the computing device to perform acts (Fig. 9: Disk Drive Unit 916 storing Instructions 924. [0084] “The disk drive unit 916 includes a machine-readable medium 922 on which is stored one or more sets of instructions 924 (e.g., software) embodying any one or more of the methodologies or functions described herein.”) comprising: 
identifying an invocation statement in source code for using a service that is provided by an entity outside of the source code ([0025] “The example communication interface 208 is to receive information. (e.g., identifying a particular … API call) from the user interface 104 and to transfer the information to the access module 212.” [0042] “At block 502, the example method 500 may include receiving an API call to access one or more web services.”).

With further regard to claim 16, Hong does not teach the following, however, Guarnieri teaches:
identifying a data flow of string variables in the source code that leads to the identified invocation statement ([0022] “FIGS. 3A and 3B, a logic flow diagram is shown for performing static analysis including scalable and precise string analysis using index-sensitive static string abstractions.” [0024] “the static analysis in block 310 may include generating one or more representations (such as models) of the program P, in order to represent how the program may operate during execution (the program P is not, however, actually executed during static analysis). One typical representation is a flow graph, which is a representation, using graph notation, of all paths that might be traversed through a program during its execution.” [0025] “In block 320, the computing system identifies seeds for string variables by applying S2 to P. In an exemplary security analysis, the seeds are strings defined for (e.g., particular, identified) string variables by the seeding specification S2 as an input 315.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the computing device as disclosed by Hong with the data flow identification as taught by Guarnieri in order “To provide a scalable form of string analysis” (Guarnieri [0015]).

With further regard to claim 16, Hong in view of Guarnieri does not teach the following, however, Pistoia teaches:

wherein at least one assembled usage string comprises a placeholder string to represent a string variable in the identified data flow that is not assigned a literal value by the source code before run-time ([0036] “Although LCAV 104 is able to identify the access as a read access, since LCAV 104 cannot determine the scope of the access without further information on col_name and table_name, it invokes string analyzer 106 to refine the access by resolving these two variables. String analyzer 106 resolves col_name into [Name|ID|Surname] and table_name into [Persons|Employees] (i.e., Name, ID and Surname are the values col_name may assume, and Persons and Employees are the potential values table_name may assume),” wherein Pistoia shows a plurality of “usage strings” in the table below Paragraph [0036], i.e. “SELECT Name FROM Persons”.)
and cannot be resolved statically ([0032] “If the access information passed to LCAV 104 cannot be sufficiently resolved to determine the type and scope of the access, such as where LCAV 104 receives an SQL query that does not indicate the name of the database being accessed, but rather includes a variable that contains the name of the database being accessed, LCAV 104 preferably invokes a string analyzer 106 to refine the access information by partially or wholly resolving some or all of the access variables.”).


With further regard to claim 16, Hong in view of Guarnieri and Pistoia does not teach the following, however, Wang teaches:
constructing an endpoint specification string based on a specification that describes permissible strings ([0030] “Two basic manners to specify URLs for segments are: SegmentList and SegmentTemplate … the latter provides a template-based URL construction mechanism which allows specification of a template containing specific identifiers that are substituted by dynamic values assigned to segments, to represent a list of segments.”); and 
checking each assembled usage string based on the constructed endpoint specification string by way of a comparison of each assembled usage string with the constructed endpoint specification string ([0010] “validating that a requested resource is in an allowed set by matching the URL received against a URL template in the signing information,” wherein the “URL received” is the “assembled string” as taught above in Pistoia. [0066] “the segment URL templates may be used as a checking algorithm.” [0073] “With regard to template URL verifying, similar to URL verifying employed by URL signing, template URL verifying is a process that checks template URL signing 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the computing device as disclosed by Hong in view of Guarnieri and Pistoia with the constructing and checking operations related to endpoints as taught by Wang in order “to verify that a URL is constructed by a segment URL template” (Wang [0066]).

Claim 18: 
Hong in view of Guarnieri, Pistoia and Wang discloses the computing device of claim 16, and Pistoia further teaches wherein checking each assembled usage string with permissible strings described by the specification is based on treating each placeholder string as a wildcard operative to match any string ([0036] “Although LCAV 104 is able to identify the access as a read access, since LCAV 104 cannot determine the scope of the access without further information on col_name and table_name, it invokes string analyzer 106 to refine the access by resolving these two variables. String analyzer 106 resolves col_name into [Name|ID|Surname] and table_name into [Persons|Employees] (i.e., Name, ID and Surname are the values col_name may assume, and Persons and Employees are the potential values table_name may assume),” wherein “[Name|ID|Surname]” and “[Persons|Employees]” are the “wildcards”.).

Claims 5-7 are rejected under 35 U.S.C. 103 as being unpatentable over Hong in view of Guarnieri, Pistoia and Wang as applied to Claim 1 above, and further in view of Arguelles et al. (US Patent 8,904,353; hereinafter “Arguelles”).
Claim 5: 
With regard to claim 5, Hong in view of Guarnieri, Pistoia and Wang teaches all the limitations of claim 1 as described above. Hong in view of Guarnieri, Pistoia and Wang does not teach the following, however, Arguelles teaches:
wherein checking each assembled usage string comprises, for each assembled usage string determining whether the assembled usage string matches a uniform resource locator (URL) endpoint specified by the specification (Col. 10 Ln. 46: “the test operations may have the actual low-level knowledge of how to perform a specific task. For example, in a RESTful implementation of a target product, a StartCreateMarketplace( ) operation might need to perform a POST to a specific endpoint with a specific path, with an authentication string in the headers,” wherein the ‘specific endpoint’ is a URL endpoint as disclosed further in Col. 13 Ln. 17: “the HttpTestOperationRequest 720 may include various input parameter values, such as an endpoint to which the HTTP request should be made, a verb for the request (e.g., put or get), a plain URL, one or more query parameters, various headers (e.g., an HTTP request header), and/or a request body (e.g., an HTTP request body).”). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method as disclosed by Hong in view of Guarnieri, Pistoia and Wang with the URL endpoint checking as 

Claim 6: 
Hong in view of Guarnieri, Pistoia, Wang and Arguelles discloses the method of claim 5, and Arguelles further teaches wherein checking each assembled usage string comprises, for each assembled usage string: determining whether the assembled usage string comprises request data for the URL endpoint; and determining whether the request data complies with the specification (Col. 10 Ln. 46: “the test operations may have the actual low-level knowledge of how to perform a specific task. For example, in a RESTful implementation of a target product, a StartCreateMarketplace( ) operation might need to perform a POST to a specific endpoint with a specific path, with an authentication string in the headers,” wherein the ‘authentication string’ is the ‘request data’.”).

Claim 7: 
Hong in view of Guarnieri, Pistoia, Wang and Arguelles discloses the method of claim 5, and Arguelles teaches further comprising reporting an error regarding the invocation statement when none of the one or more assembled usage strings matches a URL endpoint specified by the specification (Col. 9 Ln. 35: “the test steps and/or test operations thereof are responsible for determining if the test operations and/or test steps have passed, and to throw an exception or error indication if they have not.” The . 

Claims 8-10, 13-15, 19-20 and 23-24 are rejected under 35 U.S.C. 103 as being unpatentable over Hong in view of Arguelles, Guarnieri, Pistoia and Wang.
Claim 8: (Currently Amended)
Hong discloses a method comprising: 
receiving source code comprising one or more invocations of web application programming interface (web API) operative to request one or more web-based services ([0025] “The example communication interface 208 is to receive information. (e.g., identifying a particular … API call) from the user interface 104 and to transfer the information to the access module 212.” [0042] “At block 502, the example method 500 may include receiving an API call to access one or more web services.”); 
receiving a set of web API specifications and extracting a set of request information for each web API invocation in the source code ([0027] “The validation module 210 is to determine whether a set of instructions are valid based on the data referenced within the data repository 110. In an example embodiment, the validation module 210 determines whether a received API call is valid based on whether the access module 212 recognizes the syntax of the API call and that the particular data fields and/or data values (e.g., data types, operands or arguments or other input) to the API call are valid.” [0030] “An API call table 302 may contain a record for each API call defined by the schema, and may include valid input fields for each API call,” the ‘API Call Table’ 302 is the ‘set of web API specifications’.); and 


With further regard to claim 8, Hong does not teach the following, however, Arguelles teaches:
the set of request information comprising a usage string of a uniform resource locator (URL) endpoint (Col. 10 Ln. 46: “the test operations may have the actual low-level knowledge of how to perform a specific task. For example, in a RESTful implementation of a target product, a StartCreateMarketplace( ) operation might need to perform a POST to a specific endpoint with a specific path, with an authentication string in the headers,” wherein the ‘specific endpoint’ is a URL endpoint as disclosed further in Col. 13 Ln. 17: “the HttpTestOperationRequest 720 may include various input parameter values, such as an endpoint to which the HTTP request should be made, a verb for the request (e.g., put or get), a plain URL, one or more query parameters, various headers (e.g., an HTTP request header), and/or a request body (e.g., an HTTP request body).”). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method as disclosed by Hong with the URL endpoint checking as taught by Arguelles as this “may in some embodiments result in greatly reduced startup and maintenance costs” (Arguelles Col. 2 Ln. 61).

With further regard to claim 8, Hong in view of Arguelles does not teach the following, however, Guarnieri teaches:
following a data flow of string variables leading to the web API invocation ([0022] “FIGS. 3A and 3B, a logic flow diagram is shown for performing static analysis including scalable and precise string analysis using index-sensitive static string abstractions.” [0024] “the static analysis in block 310 may include generating one or more representations (such as models) of the program P, in order to represent how the program may operate during execution (the program P is not, however, actually executed during static analysis). One typical representation is a flow graph, which is a representation, using graph notation, of all paths that might be traversed through a program during its execution.” [0025] “In block 320, the computing system identifies seeds for string variables by applying S2 to P. In an exemplary security analysis, the seeds are strings defined for (e.g., particular, identified) string variables by the seeding specification S2 as an input 315.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method as disclosed by Hong in view of Arguelles with the data flow identification as taught by Guarnieri in order “To provide a scalable form of string analysis” (Guarnieri [0015]).

With further regard to claim 8, Hong in view of Arguelles and Guarnieri does not teach the following, however, Pistoia teaches:

wherein the assembled usage string comprises at least one placeholder string that is used to represent a string variable in the data flow of string variables ([0036] “Although LCAV 104 is able to identify the access as a read access, since LCAV 104 cannot determine the scope of the access without further information on col_name and table_name, it invokes string analyzer 106 to refine the access by resolving these two variables. String analyzer 106 resolves col_name into [Name|ID|Surname] and table_name into [Persons|Employees] (i.e., Name, ID and Surname are the values col_name may assume, and Persons and Employees are the potential values table_name may assume),” wherein Pistoia shows a plurality of “usage strings” in the table below Paragraph [0036], i.e. “SELECT Name FROM Persons”.)
that cannot be resolved statically ([0032] “If the access information passed to LCAV 104 cannot be sufficiently resolved to determine the type and scope of the access, such as where LCAV 104 receives an SQL query that does not indicate the name of the database being accessed, but rather includes a variable that contains the name of the database being accessed, LCAV 104 preferably invokes a string analyzer 106 to refine the access information by partially or wholly resolving some or all of the access variables.”).


With further regard to claim 8, Hong in view of Arguelles, Guarnieri and Pistoia does not teach the following, however, Wang teaches:
constructing a specification string of the URL endpoint ([0030] “Two basic manners to specify URLs for segments are: SegmentList and SegmentTemplate … the latter provides a template-based URL construction mechanism which allows specification of a template containing specific identifiers that are substituted by dynamic values assigned to segments, to represent a list of segments.”); and 
verifying whether the set of request information complies with the received web API specifications based on the constructed specification string by way of a comparison of the usage string with the constructed specification string ([0010] “validating that a requested resource is in an allowed set by matching the URL received against a URL template in the signing information,” wherein the “URL received” is the “assembled string” as taught above in Pistoia. [0066] “the segment URL templates may be used as a checking algorithm.” [0073] “With regard to template URL verifying, similar to URL verifying employed by URL signing, template URL verifying is a process that checks template URL signing information against an actual URL request … the example 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method as disclosed by Hong in view of Arguelles, Guarnieri and Pistoia with the constructing and checking operations related to endpoints as taught by Wang in order “to verify that a URL is constructed by a segment URL template” (Wang [0066]).

Claim 9:
Hong in view of Arguelles, Guarnieri, Pistoia and Wang discloses the method of claim 8, and Arguelles further teaches wherein the set of request information further comprises a hypertext transfer protocol (HTTP) method (Col. 13 Ln. 17: “the HttpTestOperationRequest 720 may include various input parameter values, such as an endpoint to which the HTTP request should be made, a verb for the request (e.g., put or get), a plain URL, one or more query parameters, various headers (e.g., an HTTP request header), and/or a request body (e.g., an HTTP request body).”).

Claim 10:
Hong in view of Arguelles, Guarnieri, Pistoia and Wang discloses the method of claim 8, and Hong further teaches wherein the usage string further comprises request data, and wherein the verifying the set of request information comprises checking the request data for compliance with a requirement set forth in the received web API specifications ([0027] “The validation module 210 is to determine whether a set of 

Claim 13: 
Hong in view of Arguelles, Guarnieri, Pistoia and Wang discloses the method of claim 8, and Pistoia further teaches wherein verifying whether the set of request information complies with the received web API specifications comprises treating the placeholder string as a wildcard for matching any string ([0036] “Although LCAV 104 is able to identify the access as a read access, since LCAV 104 cannot determine the scope of the access without further information on col_name and table_name, it invokes string analyzer 106 to refine the access by resolving these two variables. String analyzer 106 resolves col_name into [Name|ID|Surname] and table_name into [Persons|Employees] (i.e., Name, ID and Surname are the values col_name may assume, and Persons and Employees are the potential values table_name may assume),” wherein “[Name|ID|Surname]” and “[Persons|Employees]” are the “wildcards”.).


Hong in view of Arguelles, Guarnieri, Pistoia and Wang discloses the method of claim 8, and Guarnieri further teaches wherein extracting the set of request information of the web API invocation comprises assembling a plurality of usage strings by following the data flow of string variables leading to the web API invocation ([0022] “FIGS. 3A and 3B, a logic flow diagram is shown for performing static analysis including scalable and precise string analysis using index-sensitive static string abstractions.” [0024] “the static analysis in block 310 may include generating one or more representations (such as models) of the program P, in order to represent how the program may operate during execution (the program P is not, however, actually executed during static analysis). One typical representation is a flow graph, which is a representation, using graph notation, of all paths that might be traversed through a program during its execution.” [0025] “In block 320, the computing system identifies seeds for string variables by applying S2 to P. In an exemplary security analysis, the seeds are strings defined for (e.g., particular, identified) string variables by the seeding specification S2 as an input 315.”).

Claim 15: 
Hong in view of Arguelles, Guarnieri, Pistoia and Wang discloses the method of claim 14, and Hong further teaches wherein verifying whether the set of request information complies with the received web API specifications comprises determining whether at least one of the plurality of assembled usage strings complies with the received web API specifications ([0027] “The validation module 210 is to determine whether a set of instructions are valid based on the data referenced within the data 

Claim 19: (Currently Amended)
Hong discloses a computing device comprising: 
a set of one or more processing units (Fig. 9: Processor 902);
a storage device storing a set of instructions, wherein an execution of the set of instructions by the set of processing units configures the computing device to perform acts (Fig. 9: Disk Drive Unit 916 storing Instructions 924. [0084] “The disk drive unit 916 includes a machine-readable medium 922 on which is stored one or more sets of instructions 924 (e.g., software) embodying any one or more of the methodologies or functions described herein.”) comprising: 
receiving source code comprising one or more invocation of web application programming interface (web API) for requesting web-based services ([0025] “The example communication interface 208 is to receive information. (e.g., identifying a particular … API call) from the user interface 104 and to transfer the information to the 
receiving a set of web API specifications and extracting a set of request information for each web API invocation in the source code ([0027] “The validation module 210 is to determine whether a set of instructions are valid based on the data referenced within the data repository 110. In an example embodiment, the validation module 210 determines whether a received API call is valid based on whether the access module 212 recognizes the syntax of the API call and that the particular data fields and/or data values (e.g., data types, operands or arguments or other input) to the API call are valid.” [0030] “An API call table 302 may contain a record for each API call defined by the schema, and may include valid input fields for each API call,” the ‘API Call Table’ 302 is the ‘set of web API specifications’.); and 
reporting a result of the verification ([0027] “Depending on the validation module's determination of validity of the API call, the response module 214 may return an acknowledgement message that indicates the success, failure or partial failure of the API call,” wherein the “verification” step is taught below in view of Wang.).

With further regard to claim 19, Hong does not teach the following, however, Arguelles teaches:
the set of request information comprising a usage string of a uniform resource locator (URL) endpoint (Col. 10 Ln. 46: “the test operations may have the actual low-level knowledge of how to perform a specific task. For example, in a RESTful implementation of a target product, a StartCreateMarketplace( ) operation might need to 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the computing device as disclosed by Hong with the URL endpoint checking as taught by Arguelles as this “may in some embodiments result in greatly reduced startup and maintenance costs” (Arguelles Col. 2 Ln. 61).

With further regard to claim 19, Hong in view of Arguelles does not teach the following, however, Guarnieri teaches:
following a data flow of string variables leading to the web API invocation ([0022] “FIGS. 3A and 3B, a logic flow diagram is shown for performing static analysis including scalable and precise string analysis using index-sensitive static string abstractions.” [0024] “the static analysis in block 310 may include generating one or more representations (such as models) of the program P, in order to represent how the program may operate during execution (the program P is not, however, actually executed during static analysis). One typical representation is a flow graph, which is a representation, using graph notation, of all paths that might be traversed through a 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the computing device as disclosed by Hong in view of Arguelles with the data flow identification as taught by Guarnieri in order “To provide a scalable form of string analysis” (Guarnieri [0015]).

With further regard to claim 19, Hong in view of Arguelles and Guarnieri does not teach the following, however, Pistoia teaches:
wherein the set of instructions for extracting the set of request information of a web API invocation comprises a set of instructions for assembling the usage string ([0036] “While analyzing the source code of an SQL database application, static analysis engine 100 discovers an SQL API executing the following query: ‘SELECT’ + col_name + ’FROM’ + table_name + ’;’ which engine 100 passes to LCAV 104 for resolution and logging.”);
wherein the assembled usage string comprises at least one placeholder string that is used to represent an unresolved string variable in the data flow of string variables ([0036] “Although LCAV 104 is able to identify the access as a read access, since LCAV 104 cannot determine the scope of the access without further information on col_name and table_name, it invokes string analyzer 106 to refine the access by resolving these two variables. String analyzer 106 resolves col_name into [Name|ID|Surname] and 
that cannot be resolved statically ([0032] “If the access information passed to LCAV 104 cannot be sufficiently resolved to determine the type and scope of the access, such as where LCAV 104 receives an SQL query that does not indicate the name of the database being accessed, but rather includes a variable that contains the name of the database being accessed, LCAV 104 preferably invokes a string analyzer 106 to refine the access information by partially or wholly resolving some or all of the access variables.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the computing device as disclosed by Hong in view of Arguelles and Guarnieri with the assembling of usage strings and assigning a placeholder string as taught by Pistoia since “Being able to accurately identify such read/write chains would represent a significant improvement to the field of static analysis” (Pistoia [0007]).

With further regard to claim 19, Hong in view of Arguelles, Guarnieri and Pistoia does not teach the following, however, Wang teaches:
constructing a specification string of the URL endpoint ([0030] “Two basic manners to specify URLs for segments are: SegmentList and SegmentTemplate … the latter provides a template-based URL construction mechanism which allows 
verifying whether the set of request information complies with the received web API specifications based on the constructed specification string by way of a comparison of the usage string with the constructed specification string ([0010] “validating that a requested resource is in an allowed set by matching the URL received against a URL template in the signing information,” wherein the “URL received” is the “assembled string” as taught above in Pistoia. [0066] “the segment URL templates may be used as a checking algorithm.” [0073] “With regard to template URL verifying, similar to URL verifying employed by URL signing, template URL verifying is a process that checks template URL signing information against an actual URL request … the example segment URLs described above may be verified against the URL template used to derive them.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the computing device as disclosed by Hong in view of Arguelles, Guarnieri and Pistoia with the constructing and checking operations related to endpoints as taught by Wang in order “to verify that a URL is constructed by a segment URL template” (Wang [0066]).

Claim 20:
Hong in view of Arguelles, Guarnieri, Pistoia and Wang discloses the computing device of claim 19, and Arguelles further teaches wherein the set of request information further comprises a hypertext transfer protocol (HTTP) method (Col. 13 Ln. 17: “the 

With further regard to Claim 20, Hong further teaches wherein the usage string further comprises request data; and wherein verifying the set of request information comprises checking the request data and the HTTP method for compliance with a requirement set forth in the received web API specifications ([0027] “The validation module 210 is to determine whether a set of instructions are valid based on the data referenced within the data repository 110. In an example embodiment, the validation module 210 determines whether a received API call is valid based on whether the access module 212 recognizes the syntax of the API call and that the particular data fields and/or data values (e.g., data types, operands or arguments or other input) to the API call are valid,” wherein the ‘particular data fields and/or data values’ of the API call. [0030] “An API call table 302 may contain a record for each API call defined by the schema, and may include valid input fields for each API call,” the ‘API Call Table’ 302 is the ‘web API specifications’.).

Claim 23: 
Hong in view of Arguelles, Guarnieri, Pistoia and Wang discloses the computing device of claim 19, and Pistoia further teaches wherein the set of instructions for verifying whether the set of request information complies with the received web API 

Claim 24: 
Hong in view of Arguelles, Guarnieri, Pistoia and Wang discloses the method of claim 19, and Guarnieri further teaches wherein the set of instructions for extracting the set of request information of the web API invocation comprises a set of instructions for assembling a plurality of usage strings by following a data flow of string variables leading to the web API invocation ([0022] “FIGS. 3A and 3B, a logic flow diagram is shown for performing static analysis including scalable and precise string analysis using index-sensitive static string abstractions.” [0024] “the static analysis in block 310 may include generating one or more representations (such as models) of the program P, in order to represent how the program may operate during execution (the program P is not, however, actually executed during static analysis). One typical representation is a flow graph, which is a representation, using graph notation, of all paths that might be traversed through a program during its execution.” [0025] “In block 320, the computing .

Response to Arguments
Applicant's arguments filed January 14, 2021 have been fully considered but they are not persuasive. 

With respect to newly amended Claim 1, the Applicant first argues, Pages 13 Paragraph 1 of the Remarks, that “a comparison of two created strings … as provided in claim 1 as currently presented, is not disclosed or even suggested by Hong.” With respect to this argument, the Office notes that the rejections of the independent claims have been modified to more clearly indicate that it is the teachings of Wang, viewed in light of the teachings of Hong, Guarnieri and Pistoia, that have been relied upon to show that it would have been obvious to perform the recited steps of comparing two created strings. The disclosure of Hong is no longer cited in the independent claim rejections as teaching the step of checking or verifying strings by way of comparison. 
As such the Applicant is directed to the newly modified rejection of Independent Claims 1, 8, 16 and 19.

With respect to the Applicant’s second argument regarding Claim 1, Page 14 of the Remarks, that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  
In this case, Hong discloses:
[0013], “Various example embodiments include a response simulator to test executable instructions such as an Application Programming Interface (API) call.”
[0014] “loads on networked server and/or database resources may be significantly reduced for a set of API call tests in comparison to loads sustained by network resources for the same set of API call tests, in the absence of the response simulator. Use of an example response simulator for testing, rather than a dedicated network resources may result in the use of fewer hardware and/or software components and thus, use of the response simulator may aid in avoiding testing down-time.”
While, Pistoia discloses:
[0002] “While existing static analysis tools provide useful information to computer software developers and programmers, they currently do not provide certain kinds of useful information”[0009] “In one aspect of the present invention a system is provided for identifying read/write chains during static analysis of computer software, the system including a static analysis engine configured to perform static analysis on computer software and …a string analyzer configured to at least partly resolve 
As such the Office contends that the enhanced static analysis methods disclosed in Pistoia could significantly improve the testing system disclosed in Hong by enabling additional code analysis features, i.e. static code analysis, which were not previously enabled in the testing system of Hong. Thereby such additional code analysis and testing features would result in furthering the objective recited in Paragraph [0014] of Hong, i.e. “the use of fewer hardware and/or software components and thus, use of the response simulator may aid in avoiding testing down-time.” As such the Office maintains that there a teaching, suggestion, and motivation to combine the references of Hong and Pistoia.

With respect to the Applicant’s third argument regarding Claim 1, Page 17 Paragraph 3 of the Remarks, that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning.  But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper.  See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971). The Office contends that the teaching, suggestion and/or motivation to combine the prior art references is disclosed in the rejection of Claim 1 above. Further evidence for the 

With respect to the Applicant’s further arguments, Pages 17-21 of the Remarks, that the features of the remaining claims are not taught by the cited prior art, the Office respectfully disagrees. These arguments rely upon the arguments as presented in relation to claims discussed above, and as such the Office directs the Applicant to the responses above regarding these arguments. 

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOANNE GONZALES MACASIANO whose telephone 
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Dennis Chow can be reached on (571)272-7767.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/J.G.M/Examiner, Art Unit 2194                                                                                                                                                                                                        
/DOON Y CHOW/Supervisory Patent Examiner, Art Unit 2194