Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present Office Action is responsive to communications received 4/22/2020. Claims 1-8 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 4/22/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Allowed Claims
Claims 1-8 are allowed.

Reasons for Allowance
Here are the reasons for allowance. 
 The closest prior art of record are:
Fournet et al 20050055565 additionally discloses identifying software components (applets, plug-ins ...), some from unknown origin, generate graph with nodes being pieces of codes and edges the relations between nodes.
Fournet fails to teach searching a database to identify the source of components, no building a graph with nodes representing the source and vulnerability of components, nor determining probability of occurrence of one or more path of vulnerability using the graph.
 Bettini et al 20130347094 discloses analyzing applications for mobile devices, metadata associated with applications: version, author, app id , package name, 
“constructing a cyber-physical graph of a software supply chain for the software application, the cyber-physical graph comprising nodes representing the source and vulnerability of each software component of the software application and edges representing the relationships between the nodes;  10running one or more graph-processing algorithms on the cyber-physical graph to determine one or more paths of vulnerability in the software supply chain and a probability of occurrence for each path; and generating a cybersecurity score for the software application based on the vulnerabilities in the software supply chain”, as recited in claim 5.
The prior art of record subsequently fails to teach at least that limitation in independent claim 1; therefore claims 1, and 5 are found allowable. Claims 2-4, 6-8 dependent respectively from claims 1 and 5 are also allowable.

Other prior art of the record disclose analyzing software components to detect vulnerabilities and build flow graph of the relationships between components: 
Schloegel et al 20110126288; Siman 20100083240; Johnson et al 7603714.
Mahaffey et al 20150163121 more generally discloses monitoring device components, applications (signer, origin , contents components and source), and   modelling normal behaviors.
Guntur 10277629  disclose determining a set of software vulnerabilities based on signatures, determining source of software components, calculating a likelihood of attack traversing from origin of a honeypot machine to destination honeypot machine.
Choi et al 20150058993 disclose analyzing vulnerabilities of network nodes that may be software components, identifying likely network attack path, and the dependencies between vulnerabilities of nodes, likelihood of nodes to be targeted by attackers.
Borohovski et al 20150172307 disclose a database of known security vulnerabilities, variant and version of software components.
Shim et al 20140082729 disclose analyzing application, check database of blacklisted or whitelisted publishers , and information on malicious packages names and malicious code , and calculating a risk score.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138.  The examiner can normally be reached on Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        8/13/2021