Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2016, is being examined under the first inventor to file provisions of the AIA . 

DETAILED ACTION
This Office Action is in response to the application 16/030,023 filed on 07/09/2018. Claims 1, 8, and 15 have been amended; claims 3, 10, and 17 have been cancelled. Claims 1, 8, and 15 are independent claims. Claims 1, 4-8, 11-15, and 18-20 have been examined and are pending. 
Authorization for this Examiner’s Amendment was given via email with Applicant’s
representative, Mr. IIhwan Yoo (Reg. No.: 78,275). Mr. Yoo has agreed and
authorized the Examiner to amended claims 1, 8, and 15, and cancel claims 3, 10, and 17.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 12/14/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements have been considered by the examiner.



Examiner’s Amendments
Claims
Replacing claims 1-20 as follows:

1.	(Currently Amended) A system for determining a vulnerability of source code, the system comprising:
	a processor; and
	non-transitory computer readable media that includes instruction code that causes the processor to:
receive source code and a selection of one or more code analyzers for detecting vulnerability issues in the source code;
execute the one or more code analyzers to generate initial vulnerability data, the initial vulnerability data specifying one or more vulnerable code sections in the source code;
communicate the initial vulnerability data to a vulnerability analyzing engine, the vulnerability analyzing engine being configured to identify one or more code sections of the one or more code sections of the initial vulnerability data that correspond to false positives by utilizing tokenization and part-of-speech tagging to preprocess the identified code sections and classifying texts in the preprocessed code sections to extract code patterns associated with the identified code sections, wherein the code patterns include wildcards and correspond to parametrized versions of vulnerable code sections 
execute the vulnerability analyzing engine to locate records associated with the code patterns from a false positives database, the records including a category section, a code pattern section, and a comment field section, wherein the category section represents a vulnerability category including weak credentials, logging of sensitive information, and cross-site scripting, wherein the code pattern section represents  different code patterns that are vulnerable, and wherein the comment field section represents feedback previously provided by an analyst terminal in a natural language expression associated with the code patterns;  
automatically remove the one or more code sections that correspond to false positives from the initial vulnerability data to generate second vulnerability data based on the located records 
generate a report that specifies the second vulnerability data.

2-3.	(Canceled) 

4.	(Previously Presented) The system according to claim 1, wherein the instruction code causes the processor to:
communicate the initial vulnerability data to an analyst terminal;
receive feedback from the analyst terminal associated with a code section in the initial vulnerability data; 
generate a code pattern of a plurality of code patterns associated with the code section;
add a record to the false positives database that relates the code pattern and the feedback from the analyst terminal;
wherein the vulnerability analyzing engine includes a natural language processor configured to process the feedback to determine whether the feedback indicates that the related code pattern corresponds to a false positive.

5.	(Original) The system according to claim 1, wherein the non-transitory computer readable media causes the processor to:
	communicate the second vulnerability data to a code healer engine that is coupled to a code pattern database that includes records that relate vulnerable code patterns with replacement code patterns, wherein for each code section in the second vulnerability data, the code healer engine is configured to:
determine whether a vulnerable code pattern associated with the code section exists in the code pattern database;
generate a commented version of the code section;
generate replacement code based on the replacement code pattern in the code pattern database; and
communicate the commented version of the code section and the replacement code to a developer terminal.

6.	(Original) The system according to claim 5, wherein vulnerable code patterns and the replacement code patterns are parametrized to facilitate copying portions of vulnerable code sections into the replacement code.

7.	(Previously Presented) The system according to claim 5, wherein the instruction code causes the processor to:
receive feedback from the developer terminal associated with the replacement code, the feedback defining different replacement code for replacing the code section; 
communicate the feedback to the code healer engine, wherein the code healer engine is configured to: 
generate a code pattern of a plurality of code patterns associated with the different replacement code; and
add a record to the code pattern database that relates the code pattern associated with the different replacement code with the code section being replaced,
wherein the code healer engine includes a natural language processor configured to convert the different replacement code to the code pattern associated with the different replacement code.

8.	(Currently Amended) A non-transitory computer readable medium that includes instruction code that facilitates determining a vulnerability of source code, the instruction code being executable by a machine for causing the machine to perform acts comprising:
receiving source code and a selection of one or more code analyzers for detecting vulnerability issues in the source code;
executing the one or more code analyzers to generate initial vulnerability data, the initial vulnerability data specifying one or more vulnerable code sections in the source code;
communicating the initial vulnerability data to a vulnerability analyzing engine, the vulnerability analyzing engine being configured to identify one or more code sections of the one or more code sections of the initial vulnerability data that correspond to false positives by utilizing tokenization and part-of-speech tagging to preprocess the identified code sections and classifying texts in the preprocessed code sections to extract code patterns associated with the identified code sections, wherein the code patterns include wildcards and correspond to parametrized versions of vulnerable code sections 
executing the vulnerability analyzing engine to locate records associated with the code patterns from a false positives database, the records including a category section, a code pattern section, and a comment field section, wherein the category section represents a vulnerability category including weak credentials, logging of sensitive information, and cross-site scripting, wherein the code pattern section represents  different code patterns that are vulnerable, and wherein the comment field section represents feedback previously provided by an analyst terminal in a natural language expression associated with the code patterns;      
automatically removing the one or more code sections that correspond to false positives from the initial vulnerability data to generate second vulnerability data based on the located records including a name of the source code previously associated with the code patterns and a line number in the source code from which the code patterns were derived; and
generating a report that specifies the second vulnerability data.

9-10.	(Canceled) 

11.	(Previously Presented) The non-transitory computer readable medium according to claim 8, wherein the instruction code causes the machine to perform acts comprising:
communicating the initial vulnerability data to an analyst terminal;
receiving feedback from the analyst terminal associated with a code section in the initial vulnerability data; 
generating a code pattern of a plurality of code patterns associated with the code section;
adding a record to the false positives database that relates the code pattern and the feedback from the analyst terminal;
wherein the vulnerability analyzing engine includes a natural language processor configured to process the feedback to determine whether the feedback indicates that the related code pattern corresponds to a false positive.

12.	(Original) The non-transitory computer readable medium according to claim 8, wherein the non-transitory computer readable media causes the machine to perform acts comprising:

determining whether a vulnerable code pattern associated with the code section exists in the code pattern database;
generating a commented version of the code section;
generating replacement code based on the replacement code pattern in the code pattern database; and
communicating the commented version of the code section and the replacement code to a developer terminal.

13.	(Original) The non-transitory computer readable medium according to claim 12, wherein vulnerable code patterns and the replacement code patterns are parametrized to facilitate copying portions of vulnerable code sections into the replacement code.

14.	(Previously Presented) The non-transitory computer readable medium according to claim 12, wherein the instruction code causes the machine to perform acts comprising:
receiving feedback from the developer terminal associated with the replacement code, the feedback defining different replacement code for replacing the code section; 
communicating the feedback to the code healer engine, wherein the code healer engine is configured to: 
generate a code pattern of a plurality of code patterns associated with the different replacement code; and
add a record to the code pattern database that relates the code pattern associated with the different replacement code with the code section being replaced,
wherein the code healer engine includes a natural language processor configured to convert the different replacement code to the code pattern associated with the different replacement code.

15.	(Currently Amended) A method for determining a vulnerability of source code, the method comprising:

executing the one or more code analyzers to generate initial vulnerability data, the initial vulnerability data specifying one or more vulnerable code sections in the source code;
communicating the initial vulnerability data to a vulnerability analyzing engine, the vulnerability analyzing engine being configured to identify one or more code sections of the one or more code sections of the initial vulnerability data that correspond to false positives by utilizing tokenization and part-of-speech tagging to preprocess the identified code sections and classifying texts in the preprocessed code sections to extract code patterns associated with the identified code sections, wherein the code patterns include wildcards and correspond to parametrized versions of vulnerable code sections 
executing the vulnerability analyzing engine to locate records associated with the code patterns from a false positives database, the records including a category section, a code pattern section, and a comment field section, wherein the category section represents a vulnerability category including weak credentials, logging of sensitive information, and cross-site scripting, wherein the code pattern section represents  different code patterns that are vulnerable, and wherein the comment field section represents feedback previously provided by an analyst terminal in a natural language expression associated with the code patterns;      
automatically removing the one or more code sections that correspond to false positives from the initial vulnerability data to generate second vulnerability data based on the located records including a name of the source code previously associated with the code patterns and a line number in the source code from which the code patterns were derived; and
generating a report that specifies the second vulnerability data.

16-17.	(Canceled) 

18.	(Previously Presented) The method according to claim 15, further comprising:
communicating the initial vulnerability data to an analyst terminal;
receiving feedback from the analyst terminal associated with a code section in the initial vulnerability data; 
generating a code pattern of a plurality of code patterns associated with the code section;

wherein the vulnerability analyzing engine includes a natural language processor configured to process the feedback to determine whether the feedback indicates that the related code pattern corresponds to a false positive.

19.	(Original) The method according to claim 15, further comprising:
	communicating the second vulnerability data to a code healer engine that is coupled to a code pattern database that includes records that relate vulnerable code patterns with replacement code patterns, wherein for each code section in the second vulnerability data, the code healer engine is configured to:
determining whether a vulnerable code pattern associated with the code section exists in the code pattern database;
generating a commented version of the code section;
generating replacement code based on the replacement code pattern in the code pattern database; and
communicating the commented version of the code section and the replacement code to a developer terminal.

20.	(Previously Presented) The method according to claim 19, further comprising:
receiving feedback from the developer terminal associated with the replacement code, the feedback defining different replacement code for replacing the code section; 
communicating the feedback to the code healer engine, wherein the code healer engine is configured to: 
generate a code pattern of a plurality of code patterns associated with the different replacement code; and
add a record to the code pattern database that relates the code pattern associated with the different replacement code with the code section being replaced,
wherein the code healer engine includes a natural language processor configured to convert the different replacement code to the code pattern associated with the different replacement code.
	
Examiner’s Statement of Reasons for Allowance

Claims 1, 4-8, 11-15, and 18-20 are allowed. 
The following is an examiner’s statement of reasons for allowance. 
The invention is directed to methods, systems and non-transitory computer storage medium includes the instruction code that facilitates determining a vulnerability of source code includes a processor; and non-transitory computer readable media that includes instruction code that causes the processor to receive source code and a selection of one or more code analyzers for detecting vulnerability issues in the source code. The processor executes the one or more code analyzer to generate initial vulnerability data. The initial vulnerability data specifies one or more vulnerable code sections in the source code. The processor communicates the initial vulnerability data to a vulnerability analyzing engine. The vulnerability analyzing engine is configured to identify one or more code sections of the one or more code sections of the initial vulnerability data that correspond to false positives. The vulnerability analyzing engine removes the one or more code sections that correspond to false positives from the initial vulnerability data to generate second vulnerability data; and generates a report that specifies the second vulnerability data.
The closest prior art include Woulfe et al., (“Woulfe,” US 20180275970, filed Mar. 24, 2017), Aravkin et al. (“Aravkin,” US 20180046934, filed Aug. 9, 2016), Triou Jr. et al. (“Triou, JR.” US 20050257086, published Nov. 17, 2005), Balasubramanian (“Balasubramanian,” US 201000050154, published Feb. 25, 2010), are also generally 
However, none of Woulfe, Aravkin, Triou, JR., Balasubramanian, alone or in combination, the particular combination of steps or elements as recited in the independent claims 1, 8, and 15. For example, these references fails to teach all limitations recited in claims 1, 8 and 15 as a whole, especially “A system for determining a vulnerability of source code, the system comprising: a processor; and non-transitory computer readable media that includes instruction code that causes the processor to: receive source code and a selection of one or more code analyzers for detecting vulnerability issues in the source code; execute the one or more code analyzers to generate initial vulnerability data, the initial vulnerability data specifying one or more vulnerable code sections in the source code; communicate the initial vulnerability data to a vulnerability analyzing engine, the vulnerability analyzing engine being configured to identify one or more code sections of the one or more code sections of the initial vulnerability data that correspond to false positives by utilizing tokenization and part-of-speech tagging to preprocess the identified code sections and classifying texts in the preprocessed code sections to extract code patterns associated with the identified code sections, wherein the code patterns include wildcards and correspond to parametrized versions of vulnerable code sections; execute the vulnerability analyzing engine to locate records associated with the code patterns from a false positives database, the records including a category section, a code pattern section, and a comment field section, wherein the category section represents a vulnerability category including weak credentials, logging of sensitive information, and cross-site scripting, wherein the code pattern section represents  different code patterns 

These features in light of other features described in the independent claims 1, 8 and 15 are allowable over the prior art of record. 

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to void processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.” 





Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD LONG whose telephone number is (571)272-8961.  The examiner can normally be reached on Monday to Friday, 9 AM - 6 PM EST (Alternate Fridays).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 


/EDWARD LONG/
Examiner, Art Unit 2439   

/LUU T PHAM/            Supervisory Patent Examiner, Art Unit 2439