DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This action is in response to the communication filed on February 03, 2021 in response to the first office action on merit.

Remarks
Pending claims for reconsideration are claims 1-6, 9-16, and 19-20. Applicant has
Amended claims 1, 4-6, 9, 11-12, 15-16, and 20. 
Canceled claims 7-8, and 17-18. 

Response to Arguments
The following applicant’s arguments filed on February 03, 2021 have been fully considered but they are not persuasive.
In the remarks, applicant argues in substance:
That-  “With respect to claim 1, the Office Action reads the dependency code in the binary file on the code segments in Shavro. However, Shavro does not contemplate searching a binary file for one version of dependency code based on a version-specific fingerprint associated with that version. Shavro also fails to teach filtering cleared dependency code from such a binary file to separate it from custom code and altered dependency code in the file and evaluating the custom code and the altered dependency code for a security risk, where the altered dependency code includes another version of the dependency code for which the associated version-specific fingerprint differs from that of the first version” (Page 8: Para 1: lines 3-7).  
In response to argument- Examiner respectfully disagrees with applicant’s argument in regard to independent claims 1, and 12.   Sharvo discloses separating a binary into public code i.e., “dependency code” and private code i.e., “custom code” (Sharvo, Para 0019). Sharvo also discloses classifying  public code into a primary test group of code segments i.e., the “altered dependency code”  and  a secondary test group of code segments” i.e., “cleared dependency code” (Para 0031:5-7).  Sharvo also discloses matching of code segment is performed using a signature of the code segment (Para 0026).
Shavro does not particularly disclose filtering out the “cleared dependency code” i.e., the “secondary test group of code segments” from a binary file in order to separate the “private code” i.e., the “custom code” and the “altered dependency code” i.e., the “primary test group of code segments”.
However, Kang discloses receiving total list of software packages i.e., the “dependency code” installed on a client device (Kang, Fig. 5; and Para 0104). Where an essential package list i.e., a “altered dependency code” is generated from the total list of software packages i.e., the “dependency code” (Para 0112). From the essential package list i.e., the “altered dependency code” an optimized package list i.e., a “cleared dependency code” is created (Para 0124). Finally, security score for respective packages are outputted (Para 0129). 
Therefore, the combination of the prior arts discloses the claimed limitations of independent claims 1, and 12.
Regarding the rest of amendments and corresponding applicant’s arguments with respect to at least the amended independent claims, applicant’s arguments have also been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a)  IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1, and 12 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention.  
For claims 1, and 12 recite a similar statement as this: “first version specific fingerprint”, “first version of the dependency code” and “second version of the dependency code”, “second version-specific fingerprint”.  
Applicant specification describes a binary file may contain custom code (in-house developed code) and dependency code (code obtained from a code repository which may have been developed by a third party) (Specification: Para 0004). Where the custom code is checked for security risk (Para 0006) and the dependency code is not unless the dependency code is changed (Para 0018).  The dependency code is divided into (A) cleared dependency code, and (B) altered dependency code (Specification: Para 
Therefore, the claim seeking “first version of the dependency code” failed to suggested which of the dependency codes does it corresponds to i.e., (A) cleared dependency code or (B) altered dependency code. Since the claim also seeks “cleared dependency code” on line 11 but failed to tie it to any of the above first and second version specific dependency code. Perhaps applicant intended to say that the “first version of the dependency code” is the “cleared dependency code” since the claims do specify that the “second version of the dependency code” is the “altered dependency code”.  
Examiner finds the closest support for the term “version” can be attributed to the above limitations in applicant provided specification which explains that “The fingerprint may be developed as a function of a version of the dependency code…” [Specification, Para 0018:9-10].  As can be seen the claim limitation above it is not precisely defined by the applicant provided specification since applicant specification failed to describe “first version specific fingerprint”, “first version of the dependency code” and “second version of the dependency code”, “second version-specific fingerprint”.
Claims 2-6, and 9-11 inherit the deficiencies of the base claim 1 and therefore are rejected under 35 USC § 112 by virtue of their dependency.
Claims 13-16, and 19-20 inherit the deficiencies of the base claim 12 and therefore are rejected under 35 USC § 112 by virtue of their dependency.
For examining purpose office will assume the explanation provided above (See bullet c.). Appropriate correction is requested.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-6, 9-16, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Tamir Shavro (U.S. Patent Application Publication No.: US 2018/0060224 A1 / or “Shavro” hereinafter [provided by the applicant] in view of Kang et al. (U.S. Patent Application Publication No.: US 2018/0129812 A1 / or “Kang” hereinafter).

(Based on 112 rejection) Regarding claim 1, Shavro discloses “A computer comprising” (Para 0041: A computer with processor is disclosed): 
“a memory; and a processor programmed to execute instructions stored in the memory, the instructions including” (Para 0042: computer with storage medium):
“identifying a first version-specific fingerprint associated with a first version of dependency code [i.e., “cleared dependency code”]” (Para 0031:5-7, when the application code segment does match a public code segment from the index, the code segment is assigned to a secondary test group of code segments” i.e., “cleared dependency code”; and Para 0026, where the match of code segment is performed using a signature of the code segment); 
“searching a binary file for the first version of the dependency code based on the first version-specific fingerprint” (Para 0026, where the match of code segment is performed using a signature of the code segment), 
“wherein the binary file contains a second version of the dependency code [i.e., “altered dependency code”], wherein a second version-specific fingerprint associated with the second version of the dependency code differs from the first version-specific fingerprint” (Para 0031: 5-7, “when the application code segment does match a public code segment from the index, the code segment is assigned to a secondary test group of code segments” i.e., “cleared dependency code”; and Para 0030: different code segments have different signatures); 
 “[filtering] cleared dependency code [i.e., “first version of dependency code”] from the binary file to [separate] the cleared dependency code from custom code and altered dependency code [i.e. second version of the dependency code] in the binary file” (Para 0019: public code i.e., “dependency code” and private code i.e., “custom code” are separated and performed different tests; Para 0007; and  Para 0031: when a code segment does not match a public code segment from the index, the code segment is assigned to a primary test group of code segments i.e., the “altered dependency code” and “when the application code segment does match a public code segment from the index, the code segment is assigned to a secondary test group of code segments” i.e., “cleared dependency code”),
“wherein the altered dependency code includes the second version of the dependency code” (Para 0031:1-3, “When an application code segment does not match a public code segment from the index, the code segment is assigned to a primary test group of code segments” i.e., alteration to code segment has taken place);
 “and evaluating the custom code and the altered dependency code in the binary file for a security risk” (Para 0032: determines security vulnerabilities of the code segment that do not corresponds to the public code i.e., “custom code”; and Para 0031: the primary test group of code segments i.e., the “altered dependency code” goes through a more comprehensive set of tests).
Furthermore, Sharvo discloses separating a binary into public code i.e., “dependency code” and private code i.e., “custom code” (Sharvo, Para 0019). Sharvo also discloses classifying  public code into a primary test group of code segments i.e., the “altered dependency code”  and  a secondary test group of code segments” i.e., “cleared dependency code” (Para 0031:5-7). 
But Shavro fails to specially disclose filtering out the “cleared dependency code” i.e., the “secondary test group of code segments” from a binary file in order to separate the “private code” i.e., the “custom code” and the “altered dependency code” i.e., the “primary test group of code segments”.
However, Kang discloses receiving total list of software packages i.e., the “dependency code” installed on a client device (Kang, Fig. 5; and Para 0104). Where an essential package list i.e., a “altered dependency code” is generated from the total list of software packages i.e., the “dependency code” (Para 0112). From the essential package list i.e., the “altered dependency code” an optimized package list i.e., a “cleared dependency code” is created (Para 0124). Finally, security score for respective packages are outputted (Para 0129).
	It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of filtering out the “cleared dependency code” i.e., the optimized package list from a software package in order to separate the “private code” i.e., the “custom code” and the essential package list i.e., the “ altered dependency code” of Kang to the system of Distinguishing Public and Private Code in Testing Environment of Shavro to create a system where further quantification is performed on an open-source software package i.e., the “dependency code”  and the ordinary person skilled 

Regarding claim 2, in view of claim 1, Shavro discloses “wherein the instructions include receiving a code repository representing at least one instance of dependency code” (Fig. 1: Public Code Repository 120 i.e., “dependency code” repository; and Para 0012).
Regarding claim 3, in view of claim 2, Shavro discloses “wherein the instructions include indexing the code repository” (Fig. 2: Public Code Index 260; and Para 0020).

Regarding claim 4, in view of claim 2, Shavro discloses “wherein the instructions include developing a version-specific fingerprint for each instance of dependency code in the code repository” (Fig. 2; and Para 0020, 0025: generates signature i.e., “fingerprint”).

Regarding claim 5, in view of claim 4, Shavro discloses “wherein each version-specific fingerprint developed is a function of one of the instances of dependency code in the code repository” (Fig. 2; and Para 0020, 0025: generates signature i.e., “fingerprint” for each code segments).

Regarding claim 6, in view of claim 1, Shavro discloses “wherein filtering the cleared dependency code includes removing the cleared dependency code from the binary file” (Para 0007, public code segments are excluded from the not determined as public code).

Regarding claim 9, in view of claim 1, Shavro discloses “wherein the instructions include receiving the binary file” (Fig. 1: Code Testing System 100 receives software packages; and Para 0014).

wherein the instructions include generating statistics representing an amount of dependency code and an amount of custom code in the binary file” (Kang, Para 0020, a binary file is analyzed to determine size of the dependency package along with other packages).

Regarding claim 11, in view of claim 1, Shavro discloses “wherein the instructions include generating a risk assessment file as a result of performing the security evaluation of the custom code and the altered dependency code” (Para 0032: determines security vulnerabilities of the code segment that do not corresponds to the public code i.e., “custom code”).

(Based on 112 rejection) Regarding claim 12, Shavro discloses “A method comprising” (Para 0011: a method is disclosed): 
“receiving a binary file” (Fig. 3: search an application for private code i.e., “custom code” and pubic code i.e., “dependency code”; and Para 0037-0038); 
“identifying a first version-specific fingerprint associated with a first version of dependency code” (Para 0031:5-7, when the application code segment does match a public code segment from the index, the code segment is assigned to a secondary test group of code segments” i.e., “cleared dependency code”; and Para 0026, where the match of code segment is performed using a signature of the code segment); 
 “searching the binary file for the first version of the dependency code based on the first version-specific fingerprint” (Para 0026, where the match of code segment is performed using a signature of the code segment), 
“wherein the binary file contains a second version of the dependency code, wherein a second version-specific fingerprint associated with the second version of the dependency code differs from the first version-specific fingerprint” (Para 0031: 5-7, “when the application code segment does match a public code segment from the index, the code segment is assigned to a secondary test group of code segments” i.e., “cleared dependency code”; and Para 0030: different code segments have different signatures); 
“[filtering] cleared dependency code from the binary file to [separate] the cleared dependency code from custom code and altered dependency code in the binary file(Para 0019: public code i.e., “dependency code” and private code i.e., “custom code” are separated and performed different tests; Para 0007; and  Para 0031: when a code segment does not match a public code segment from the index, the code segment is assigned to a primary test group of code segments i.e., the “altered dependency code” and “when the application code segment does match a public code segment from the index, the code segment is assigned to a secondary test group of code segments” i.e., “cleared dependency code”), 
“wherein Page 4 of 9Response Submitted February 3, 2021Docket No. 50419-US-PAT(01287-0004) App. No. 16/129,321 the altered dependency code includes the second version of the dependency code” (Para 0031:1-3, “When an application code segment does not match a public code segment from the index, the code segment is assigned to a primary test group of code segments” i.e., alteration to code segment has taken place);
“and evaluating the custom code and the altered dependency code in the binary file for a security risk” (Para 0032: determines security vulnerabilities of the code segment that do not corresponds to the public code i.e., “custom code”; and Para 0031: the primary test group of code segments i.e., the “altered dependency code” goes through a more comprehensive set of tests).
Furthermore, Sharvo discloses separating a binary into public code i.e., “dependency code” and private code i.e., “custom code” (Sharvo, Para 0019). Sharvo also discloses classifying  public code into a primary test group of code segments i.e., the “altered dependency code”  and  a secondary test group of code segments” i.e., “cleared dependency code” (Para 0031:5-7). 
But Shavro fails to specially disclose filtering out the “cleared dependency code” i.e., the “secondary test group of code segments” from a binary file in order to separate the “private 
However, Kang discloses receiving total list of software packages i.e., the “dependency code” installed on a client device (Kang, Fig. 5; and Para 0104). Where an essential package list i.e., a “altered dependency code” is generated from the total list of software packages i.e., the “dependency code” (Para 0112). From the essential package list i.e., the “altered dependency code” an optimized package list i.e., a “cleared dependency code” is created (Para 0124). Finally, security score for respective packages are outputted (Para 0129).
	It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of filtering out the “cleared dependency code” i.e., the optimized package list from a software package in order to separate the “private code” i.e., the “custom code” and the essential package list i.e., the “ altered dependency code” of Kang to the system of Distinguishing Public and Private Code in Testing Environment of Shavro to create a system where further quantification is performed on an open-source software package i.e., the “dependency code”  and the ordinary person skilled in the art would have been motivated to combine to optimize the open-source software package i.e., the “dependency code”  (Kang, Abstract).

Regarding claim 13, in view of claim 12, Shavro discloses “further comprising receiving a code repository representing at least one instance of dependency code” (see rejection of claim 2).

Regarding claim 14, in view of claim 13, Shavro discloses “further comprising indexing the code repository” (see rejection of claim 3).

further comprising developing a version- specific fingerprint for each instance of dependency code in the code repository, wherein each version- specific fingerprint developed is a function of one of the instances of dependency code in the code repository” (see rejection of claim 4 and 5).

Regarding claim 16, in view of claim 12, Shavro discloses “wherein filtering the cleared dependency code includes removing the cleared dependency code from the binary file” (see rejection of claim 6).

Regarding claim 19, in view of claim 12, Shavro in view of Kang disclose “further comprising generating statistics representing an amount of dependency code and an amount of custom code in the binary file” (See rejection of claim 10).

Regarding claim 20, in view of claim 12, Shavro discloses “further comprising generating a risk assessment file as a result of performing the security evaluation of the custom code and the altered dependency code” (See rejection of claim 11).



Relevant Prior Arts
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Bezzi et al. (US 2018/0157486 A1) discloses “…analyzing the plurality of versions of code of the component to compute metrics to identify each version of code, analyzing the metrics to determine a subset of the metrics to use to as a fingerprint definition to identify each version of the code, generating a fingerprint for each version of code using the fingerprint definition, .

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDULLAH ALMAMUN whose telephone number is         (571) 270-3392.  The examiner can normally be reached on 8 AM - 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ABDULLAH ALMAMUN/Examiner, Art Unit 2431                                                                                                                                                                                                        
/SAMSON B LEMMA/Primary Examiner, Art Unit 2498