DETAILED ACTION

This non-final office action is in response to claims 1-20 filed June 14, 2019 for examination. Claims 1-20 are being examined and are pending. 
Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Information Disclosure Statement

The information disclosure statement filed 6/14/2019and 07/01/2019 has been placed in the application file and the information referred to therein has been considered as to the merits. 
Drawings

The drawings filed on 06/14/2019 have been accepted.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b) (2) (C) for any potential 35 U.S.C. 102(a) (2) prior art against the later invention.
Claims 1-2, 4-17, and 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 2019/0305957 A1 to Reddy et al. (“Reddy”) in view of US 2020/0242254 A1 to Velur et al. (“Velur”).
Regarding claim 1, Reddy disclosed a method comprising (Abstract. a process that includes: determining whether to execute a software asset based on trust records (i.e. vulnerability state) documenting provenance of the software asset published to a blockchain.): determining, by the computer, a block of a blockchain representing a vulnerability state of the plurality of components; and associating, by the computer, the block of the blockchain with the product release. (Para. 109. In some embodiments, trust records may be encoded as a linked list or other associative array of trust assertions or constituent trust records to which new trust assertions or trust records are appended over time as the available information about a software asset increases and evolves. In some embodiments, this process may include instantiating a new software asset (i.e. new product release), as indicated by block 132 in FIG. 5. In some embodiments, the newly instantiated software asset may be assigned a global unique identifier, for instance, in a namespace of software assets in the above-describe computing environment 70. In some cases, a GUID may be assigned by calling a smart contract that returns a GUID determined by the smart contract to not conflict with extant names. In some cases, the resulting initial trust record having the unique identifier may be written to a first block (which may be part of a longer block chain). In some embodiments, writing the trust record to the block may include publishing the trust record, for example, by writing the illustrated trust assertion with the unique identifier to content of a leaf node of a Merkel tree of the block.).
Reddy does not but the analogous art Velur disclosed determining, by a computer, entries of a software vulnerability database associated with a plurality of components associated with a release of a software product; (Para. 0072-0075. CVE database 618 can include a list of CVEs known throughout the public domain, including any information related to each CVE. The library database 620 can include release notes and changelogs that can be stored in the release notes and changelogs database 610. As described in block 310 of FIG. 3A, NLP can be used to analyze the information stored in the release notes and changelogs database 610. The natural language processing engine 612 can be used to determine whether a known CVE has been fixed in a newer version of a library as compared to a current version of a library being implemented in an API.)
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the invention of Reddy by including the idea of determining entries of a software vulnerability database associated with a plurality of components associated with a release of a software product as taught by Velur in order to provide more robust 
Claim 16 recites similar limitations to claim 1, mutatis mutandis, the subject matter of claim 16, which is therefore, also considered to be taught by Reddy-Velur combination as above.
Regarding claim 13, Reddy disclosed an apparatus comprising (Abstract. a process that includes: determining whether to execute a software asset based on trust records (i.e. vulnerability state) documenting provenance of the software asset published to a blockchain.): at least one processor; and a memory to store instructions that, when executed by the at least one processor, cause the at least one processor to: generate a block of a blockchain representing a state of the database; and generate a stamp to be associated with a release of the software product, the stamp representing an index to the block of the blockchain. (Para. 0108. When new information becomes available about a software asset, new versions of trust assertions or trust records may be written to the data store 104, and in some cases, indexes identifying those new records may be updated to reference the newer version (rather than overwriting the older information). In some cases, the various constituent components of the computing environment 70 described above may reference such an index to identify trust records. In some embodiments, the index may be stored in the data store 104 as well. (Or some embodiments may operate on mutable records.) Para. 109. In some embodiments, trust records may be encoded as a linked list or other associative array of trust assertions or constituent trust records to which new trust assertions or trust records are appended over time as the available information about a software asset increases and evolves. In some embodiments, this process may include instantiating a new software asset (i.e. new product release), as indicated by block 132 in FIG. 5. In some embodiments, the newly instantiated software asset may be assigned a global unique identifier, for instance, in a namespace of software assets in the above-describe computing environment 70. In some cases, a GUID may be assigned by calling a smart contract that returns a GUID determined by the smart contract to not conflict with extant names. In some cases, the resulting initial trust record having the unique identifier may be written to a first block (which may be part of a longer block chain). In some embodiments, writing the trust record to the block may include publishing the trust record, for example, by writing the illustrated trust assertion with the unique identifier to content of a leaf node of a Merkel tree of the block.)
Reddy does not but the analogous art Velur disclosed determine an enumeration of components associated with a software product; based on the enumeration, identify vulnerabilities published in a database associated with the components (Para. 0072-0075. CVE database 618 can include a list of CVEs known throughout the public domain, including any information related to each CVE. The library database 620 can include release notes and changelogs that can be stored in the release notes and changelogs database 610. As described in block 310 of FIG. 3A, NLP can be used to analyze the information stored in the release notes and changelogs database 610. The natural language processing engine 612 can be used to determine whether a known CVE has been fixed in a newer version of a library as compared to a current version of a library being implemented in an API.)
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the invention of Reddy by including the idea of determine an enumeration of components associated with a software product; based on the enumeration, identify vulnerabilities published in a database associated with the components as taught by Velur in order to provide more robust and accurate solutions for continuous and automatic vulnerability management for modern applications (Velur, para. 0003).
Regarding claim 2, Reddy in view of Velur further disclosed the method of claim 1, wherein associating the block of the blockchain with the product release comprises: generating a validation stamp containing a reference to the block and a reference to the software product (Para. 0111. Upon a developer committing code changes to the software asset to the repository, a new trust record 136 may be published.  In some embodiments, the new trust record 136 may include a reference to an address of the previous trust record 134 in the blockchain. In some embodiments, the trust records 132, 134, 136 may be written consecutively to a directed acyclic graph of cryptographic hash pointers (i.e. validation stamp).).
Claim 17 recites similar limitations to claim 2, mutatis mutandis, the subject matter of claim 17, which is therefore, also considered to be taught by Reddy-Velur combination as above.
Regarding claim 4, Reddy in view of Velur further disclosed the method of claim 2, wherein generating the validation stamp further comprises including data in the validation stamp representing a hash of the software product (Para. 0111. In some embodiments, trust records like trust record 136 may include a cryptographic hash of the content of code of the software asset, of a set of changes to the code of the software asset, and various other key-value pairs like those illustrated. In some cases, a trust assertion may be verified to apply to a software asset by comparing a signed cryptographic hash of the software asset in the trust record to a recalculated cryptographic hash of the software asset in question.).
Regarding claim 5, Reddy in view of Velur further disclosed the method of claim 2, wherein generating the validation stamp further comprises including data in the validation stamp representing a name of the software product (Para. 0114, Para. 0111).
Regarding claim 6, Reddy in view of Velur further disclosed the method of claim 2, wherein generating the validation stamp further comprises including data in the validation stamp representing identifiers for the plurality of components (Para. 0109, 0111, 0114).
Regarding claim 7, Reddy in view of Velur further disclosed the method of claim 2, wherein generating the validation stamp further comprises including data in the validation stamp representing identifiers for the components of the plurality of components appearing the block of the blockchain (Para. 0109).
Regarding claim 8, Reddy in view of Velur further disclosed the method of claim 1, wherein the blockchain comprises a master blockchain, and the master blockchain comprises a plurality of component vulnerability entry blockchains representing corresponding states of component vulnerability entries of the software vulnerability database (Para. 0111. Fig. 7 is a master blockchain).
Claims 15 & 19 recite similar limitations to claim 8, mutatis mutandis, the subject matter of claims 15 & 19, which is therefore, also considered to be taught by Reddy-Velur combination as above.
Regarding claim 9, Reddy in view of Velur further disclosed the method of claim 8, wherein a given component vulnerability entry blockchain represents a vulnerability entry and changes to the vulnerability entry (Para. 0111. upon a developer committing code changes to the software asset to the repository, a new trust record 136 may be published.).
Claim 20 recites similar limitations to claim 9, mutatis mutandis, the subject matter of claim 20, which is therefore, also considered to be taught by Reddy-Velur combination as above.
Regarding claim 10, Reddy in view of Velur further disclosed the method of claim 8, wherein the plurality of component vulnerability entry blockchains are associated with a plurality of security reporters (Para. 0106).
Regarding claim 11, Reddy in view of Velur further disclosed the method of claim 8, wherein the master blockchain is signed by a central authority (Para. 0057, 0149).
Regarding claim 12, Reddy in view of Velur further disclosed the method of claim 11, wherein the central authority comprises a single entity or a plurality of entities (Para. 0057).
Regarding claim 14, Reddy in view of Velur further disclosed the apparatus of claim 13, wherein the components comprise third party software components of the product (Para. 0160).

Claims 3 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Reddy in view of Velur as applied to claims 2 and 17 above, and further in view of WO 2020/211258 A1 to Wang et al. (“Wang”).
Regarding claim 3, Reddy-Velur combination disclosed the method of claim 2, the combination does not but the analogous art Wang disclosed wherein the reference comprises a blockchain page number (Abstract.  The method comprises: acquiring a query request, wherein the query request carries a page number of a target page (101); acquiring a keyword set corresponding to the page number of the target page from a blockchain account book according to the page number of the target page, wherein there are one or more keywords in the keyword set (102); acquiring a value corresponding to each keyword in the keyword set from the blockchain account book (103); combining the acquired keyword set and the value corresponding to each keyword in the keywords (104); and taking a combination result as a query result, and returning the query result (105).).

Claim 18 recites similar limitations to claim 3, mutatis mutandis, the subject matter of claim 18, which is therefore, also considered to be taught by Reddy-Velur-Wang combination as above.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2020/0358802 A1 (Viswambharan et al.): [0056] The service mesh 302 may also be in communication with various other external feeds 307, 309, etc., for obtaining information on potential vulnerabilities in the software executing in its containers 330a-c, for example. The software vulnerabilities discussed herein may pertain to any exposures identified in the service instances which may compromise privacy, security, efficiency, accuracy, performance, etc., of the service instances. In some examples, the vulnerabilities may be program bugs, loopholes in service and user authentication, gaps in protection against intrusion, exposure to distributed denial of service (DDoS) attacks, etc. The potential software vulnerabilities may or may not have a fix readily available. A software vulnerability database cloud consortium 306 may source vulnerability information from various repositories and standards, such as the National Vulnerability Database (NVD), Product Security Incident Response Team (PSIRT), etc., and supply this information on the external feed 307 to the service mesh 302. The software vulnerability ledger blockchain 308 may provide another external feed 309 to the 
US 2020/0252219 A1 (Singh et al.): [0014] Some implementations described herein may use blockchain based digital identity generation and verification. For example, an identity generation platform may generate a base composite identity for a software application based on a set of sub-identities for a set of sub-application artifacts of the software application and may save the base composite identity to a blockchain. In this case, when a software application is to be verified, the identity generation platform may generate a verification composite identity and compare the verification composite identity to the base composite identity. If the verification composite identity and the base composite identity match, the identity generation platform may determine that the software application from which the verification composite identity was generated is unaltered relative to a version from which the base composite identity was generated. In contrast, if the verification composite identity does not match the base composite identity, the identity generation platform may compare each sub-identity to determine which artifact of the software application has been altered. In this way, the identity generation platform may identify discrepancies in large, complex software applications, thereby improving the software development process, reducing scheduling or cost overruns, reducing security vulnerabilities, reducing computing resources associated with identifying discrepancies, and/or the like. Further, the identity generation platform may automatically resolve an identified discrepancy by replacing an altered artifact of the software application with an 
US 2018/0096042 A1 (Kuzma et al.)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAWNCHOY RAHMAN whose telephone number is (571)270-7471.  The examiner can normally be reached on Monday - Friday 8:30A-5P ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Shawnchoy Rahman/            Primary Examiner, Art Unit 2438