Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is in response to the original filing May 2nd, 2019.   Claims 1-21 are pending and have been considered.

Priority
Acknowledgment is made of no claim of foreign priority.

Drawings
The drawings filed on 05/02/2019 are accepted.

Specification
The specification filed on 05/02/2019 is accepted.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/02/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 6-10, 13-17, 20 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Liu et al U.S. 2018/0316715 A1 in view of Robin et al U.S. 2005/0240999 A1.
Claims 1, 8 and 15: Liu et al teaches a method to detect and mitigate a hard-coded secret vulnerability in source code, an apparatus and a computer program product in a non-transitory computer readable medium for use a data processing system, the computer program product holding computer program instructions executed by the data processing system to detect and mitigate a hard-coded secret vulnerability in source code (par.23), the computer program instructions configured , comprising:
 a processor (Fig1, item 120);
computer memory holding computer program instructions executed by one or more processors to detect and mitigate a hard-coded secret vulnerability in source code (par.23, Fig.1), 
applying a lexical analysis to the source code to generate given information (Fig.2, Fig.3, par.47 -51, the processor 110 loads paths and nodes by applying source code analysis techniques such as definite assignment analysis on source code (Step S301). par. 68, The analyses may include data flow analysis, vector analysis, lexical analysis, and graph analysis);
applying the given information against a rule set, is indicated for potential use in the source code as a hard-coded secret (Fig.2, Fig.3 par. 47-51, the processor 110 loads paths and nodes by applying source code analysis techniques such as definite assignment analysis on source code (Step S301) and identifies at least one tainted path by enabling a plurality of vulnerability rules through a complete scan of the source code (Step S303).. The at least one tainted paths may be identified by using an existing automated data flow analysis tool to perform data flow analysis on the path graph. Also, the existing automated data flow analysis tool may be some open source or free tools such as RIPS (a static source code analyzer for vulnerabilities in PHP web applications), Google CodeSearchDiggity (a tool to identify SQL injections, XSS, hard-coded passwords. etc.), or RATS (a tool for scanning C/C++, Perl, PHP, Python source code for vulnerabilities such as buffer overflows), and so on.);
processing results of applying the given information against the respective first and second rules to identify a likelihood and location in the source code of the hard-coded secret vulnerability (par.28-29, 31, The processor 110 then identifies at least one tainted paths by enabling a plurality of vulnerability rules); and
outputting an indication of the hard-code secret vulnerability to enable a subsequent action (par.52-54, If the actual object/variable exists in the target node, the processor 110 determines that the current target node is mitigable and applies an instant-fix call at the actual tainted object on the target node based on the corresponding vulnerability rule) .
Liu et al teaches does not explicitly, Rubin et al in the same field of endeavor teaches 
at least a first rule in the rule set being configured to identify a data string that, based on its initial value and a specified function with which it is associated, is indicated for use in the source code as a hard-coded secret, at least a second rule in the rule set being configured to identify a data string that, based on its specified value or characteristic (par.11, 111, 122-134, rule files are text files that describe lexical characteristics of a particular language. Rule files for a language describe character encodings, sequences of characters that form lexical constructs of the language, referred to as  tokens, patterns  tokens that form syntactical constructs of program code, referred to as parsing rules, and patterns of tokens that correspond to potential exploits, referred to as analyzer rules) 
Liu et al with the addition feature of Rubin et al in order to provide network security, and in particular to scanning of mobile content for exploits, as suggested by  Rubin et al par.2.
Claims 2, 9 and 16: the combination teaches : 
wherein the specified function is one of: a specific algorithm Application Programming Interface (API), a specific security API, a specific utility API, a specific system command, and an operation that passes the data string initial value to the specified function (Liu et al, par.25, 27, 32-33, Rubin et al, par.138).
The same motivation to modify Liu et al in view of Rubin et al applied to claims 1, 8 and 15 above applies here.
Claims 3, 10 and 17: the combination teaches
wherein the specified value or characteristic is one of: a variable that meets a specific complexity, a variable that meets a specific length, a variable having a name that matches a specific sub-string, and a variable that matches against other predefined criteria (Liu et al, par.28, 33, 59, Rubin et al, par.118, 120-127,138).
Liu et al in view of Rubin et al applied to claims 1, 8 and 15 above applies here.
Claims 6, 13 and 20: the combination teaches      
wherein the first rule is configured to identify a pattern at a particular location within the source code (Liu et al, par.44, Rubin et al, par.11-12, 79, 134-136).
The same motivation to modify Liu et al in view of Rubin et al applied to claims 1, 8 and 15 above applies here.
Claims 7, 14 and 21: the combination teaches     
 wherein the subsequent action is one of: performing a further analysis of the source code, rewriting the source code to excise the hardcoded secret vulnerability, and updating the source code to ameliorate the hard-coded secret vulnerability(Liu et al, par.17, 18, 47-48, 50-51, 68 Rubin et al, par.138).
The same motivation to modify Liu et al in view of Rubin et al applied to claims 1, 8 and 15 above applies here.

Claims 4,  5, 11, 12, 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Liu et al U.S. 2018/0316715 A1 in view of Robin et al U.S. 2005/0240999 A1 in further view of Wong et al U.S. 2012/0042361 A1.
Claims 4, 11 and 18:    the combination fails to teach, however Wong et al in the same field of endeavor teaches  
wherein the given information is a set of tokens and relations, and wherein processing results includes receiving a set of scores and applying a consolidation function (par. 181-197, 201-211).
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the combined teaching of Liu et al with the addition feature of Wong et al in order to provide ability for detecting source code in a message being sent over a digital communication network to secure against unauthorized leakage of source code, as suggested by Rubin et al abstract.
Claims 5, 12 and 19: the combination teaches 
wherein the consolidation function is one of: an intersection of the results of applying rules in the rule set, and a union of the results of applying rules in the rule set (Wong et al, par. 181-197, 201-211).
	The same motivation to modify Liu et al in view of Wong et al applied to claims 4, 11 and 18 above applies here.

The following prior art are cited to further show the state of the art at the time of applicant’s invention. 
Kane-Parry et al U.S. 9,465942 B1 is dictionary generation for identifying coded credentials
Zang et al U.S. 10,929277 B2 teaches method for detecting hard-coded strings in source code, involves generating filtered list of strings, and rendering source code of application through user interface of application

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685.  The examiner can normally be reached on 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on 5712724219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center 






Saturday, June 5, 2021
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436