DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	This Office Action is responsive to application 16/839,541 that the Applicant filed on April 3, 2020 and presented 20 claims.  Original claims 1-20 remain pending in the application. 

Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 226 (Fig. 2), 230 (Fig. 2), and 804 (Fig. 8).  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Objections
Claim 18 is objected to because of the following informalities:  “to the F of the user” appears to have a typographic error.  Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 17, and thus dependent claims 18-20, are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claims do not fall within at least one of the four categories of patent eligible subject matter because claim 17 claims “[a] computer program product, comprising a computer usable medium…,” which can comprise transitory signal.  Although the specification states, “Computer storage media for purposes of this disclosure are not signals per se …,” see US PG-PUB 2020/0320194 ¶ [0116] (emphasis added), the recited a computer program product and a computer usable medium may employ or comprise a storage medium that consists of signals per se.  Thus, the broadest reasonable interpretation of claims 17-20 results in the claims encompassing non-statutory subject matter.  The rejection may be overcome by claiming “A non-transitory computer program product.”




Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 4 and 14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.  Clams 4 and 14 include the limitation “a user name,” which is presumably different than the “user identifier (ID)” recited earlier in independent claims 1 and 9.  However, the specification states, “Instead, the user provides the user name 310 (user id) indicating…,” see US PG-PUB 2020/0320194 ¶ [0059], thus indicating the user name and user ID are synonymous.  Additionally, claims 4 and 14 recite “a directory,” while claims 1 and 9 recite “a target directory.”  Accordingly, the claims are indefinite for it’s not clear as to how a user name and a user ID are different, and it’s not clear if there’s a difference between the target directory and “a directory.”  This rejection may be overcome by amending claims 4 and 14 to recite “the user ID” and “the target directory,” or alternatively by presenting an argument, with appropriate support from the specification, which illustrates that “a user name” and “a directory” are distinguishable from “the user ID” and “the target directory,” respectively. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

(NOTE: within the Examiner’s parenthetical explanations below, material within quotation marks is language quoted from the prior art reference, underlined material is language quoted from the claims, and material within brackets is material altered from either a prior art reference or a claim.  Regarding the reconstruction of the claims, a numbered footnote indicates a primary phrase to be first moved upwards to the first cited reference, while a lettered footnote indicates a secondary phrase to be moved after the movement of the primary phrase from which it was lifted.  Or more succinctly, move numbered material first, lettered material last.)
A.	Claims 1-4, 6-7, 9-14, and 16-18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sharma et al. (US 2016/0180096, “Sharma”) in view of Hufsmith (US 2020/0097662, “Hufsmith”), and further in view of Archer et al. (US 2014/0208431, “Archer”).
Regarding Claim 1
Sharma discloses
A system for code security scanning with minimal user interface (Fig. 5, ¶ [0079], “As depicted, the environment includes a Static Analysis Security Testing (SAST) tool or agent 506 that, as is well-known and as described above (e.g., FIG. 4), is used scan source code to identify potential security vulnerabilities, and that provides developers with assistance to triage and fix those identified vulnerabilities,” noting minimal user interface is afforded not patentable weight since it occurs in the preamble and merely states an objective, and not a structural limitation, of the claimed scanning system.  See MPEP § 2111.02(I) – Preamble Statements Limiting Structure), the system comprising: 
a memory (Fig. 2, ¶¶ [0029], “memory 206”); 
at least one processor (Fig. 2, ¶¶ [0027]-[0028], “processor unit 204”) communicatively coupled to the memory (Fig. 2, ¶ [0020], via “communications fabric 202”); 
a user interface device…1 (¶ [00031], “input/output unit 212”) associated with selected source code (¶¶ [0078]-[0079], i.e., the “development team 500” select[s] the source code to be scanned within an “abstract program representation (APR);” see also Hufsmith ¶ [0073] that more directly discloses source code that is analyzed via a static analysis scanner); 
a scan initiation component (¶¶ [0080]-[0082], i.e., the  “The generator tool [514 that acts as a scan initiation component], as will be described below, is the mechanism that automatically generates abstract program representations (APRs, each an APR 516) with respect to the source code component 502 of the application 504;” and  “In a preferred approach, an ARSA [Archive for Security Analysis] file for an APR is created by serializing the APR into a compact binary file format container that preferably contains only the data necessary for static application security analysis;” and ¶ [0103], “This enables the ARSA file to be sent for security scanning whenever needed;” and a scan initiation component), implemented on the at least one processor (Fig. 2, ¶ [0026], “With reference now to FIG. 2, a block diagram of an exemplary data processing system is shown in which aspects of the illustrative embodiments may be implemented.”), 
that uploads the selected source code (¶¶ [0078]-[0079]) to a target directory (¶¶ [0098]-[0099], “FIG. 7 illustrates an example set of build artifacts located in [target] directory “C:\myApp” and created by the build system for a particular source code component.”) via a network (Fig. 5, i.e., the network as generally illustrated within the figure) on condition a user (¶¶ [0078]-[0079], “development team 500”) initiates security scanning of the selected source code…2 (¶ [0079], “As depicted, the environment includes a Static Analysis Security Testing (SAST) tool or agent 506 that, as is well-known and as described above (e.g., FIG. 4), is used to scan source code to identify potential security vulnerabilities, and that provides developers with assistance to triage and fix those identified vulnerabilities,” i.e., for the source code to be scanned, it must necessarily be initiate[d], with such initiation occurring by a user within the “development team 500”), 
the selected source code including a user identifier (ID) appended to the selected source code (Fig. 7, ¶¶ [0096]-[0099], “The following provides a more concrete example. In this embodiment, the APR is generated from the source code component by analyzing build artifacts (e.g., such as a Maven pom.xml file, an Ant build.xml file, or the like) to extract preferably the following information: the paths to the build outputs (e.g. *.jar, *.war, etc.), the path(s) to the source code directories,…,” i.e., the Project Object Model (“pom”) file provides the user identifier (e.g., the name within the tag append the user identification to the source code as artifacts that are subject to the scanning);
3 …and submits the selected source code to a security scan component (Fig. 5, ¶ [0079], “As depicted, the environment includes a Static Analysis Security Testing (SAST) tool or agent 506 that [serves as a security scan component], as is well-known and as described above (e.g., FIG. 4), is used to scan source code to identify potential security vulnerabilities, and that provides developers with assistance to triage and fix those identified vulnerabilities.”) associated with a remote computing device via a network (Fig. 5, ¶ [0079], “The static analysis tool 506 operates either on-premises, or in a cloud-based platform 508” that is a remote computing device that receives the source code (or source code as artifacts) via the illustrated network); and 
4 ….
Sharma doesn’t disclose
	1 …outputting a single-command menu option…;
	2 …by selecting the single-command menu option;
	3 a listener component, implemented on the at least one processor, periodically checks the target directory for unscanned code…
	4 a results component, implemented on the at least one processor, transmits a summary scan results report to the user associated with the selected source code.
Hufsmith, however, discloses
	3 a listener component (Fig. 1A, ¶¶ [0070]-[0073], “In some embodiments, the scan selector 46 [as a listener component] may receive the identified layer upon each call and select scanner application (or applications) 16 to scan various portions (or all) , implemented on the at least one processor (Sharma Fig. 2, ¶ [0026]), periodically checks the target directory (Sharma ¶¶ [0098]-[0099]) for unscanned code… (¶¶ [0077]-[0079], “By way of example, scan selector 46 may recursively [and thus periodically] traverse a directory [that is target[ed]] of a given layer until an executable file is detected. Embodiments may then select a scanner based upon a file extension of that executable file.”)
4 a results component (¶ [0068], “The scanning engine 12 may further include a schema translator 44, a scan selector 46, a layer of evaluator 50, a scan configurer 48, and a result engine 54 [that serves as a results component]”), implemented on the at least one processor (Fig. 2, ¶ [0026]), transmits a summary scan results report to the user associated with the selected source code (¶¶ [0095]-[0096], “In some embodiments, the result engine 54 [of scanning engine 12] is configured to output the results of one or more calculations [as a summary scan] or determinations about container images or distributed applications, for instance, storing them in memory, causing the results to be presented to a user, for instance, in a user interface, like a dashboard a report, logging results, for instance, an alarm log, or causing a message to be sent to a developers email address or text message address.”)
Archer, however, discloses
	1 …outputting a single-command menu option… (¶¶ [0022]-[0023], i.e., the GUI that includes a menu comprises a single-command menu option where a click of a menu executes a single command presented in the menu);
	2 …by selecting the single-command menu option (¶¶ [0022]-[0023], i.e., the mouse-click is used to select[] the single-command within the option[s] of the menu);

	Regarding the combination of Sharma-Hufsmith and Archer, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the scanning system of Sharma to have included the single-command menu option of Archer. One of ordinary skill in the art would have been motivated to incorporate the single-command menu option of Archer because Sharma discloses an “input/output (I/O) unit,” see Sharma ¶ [0027], and Archer teaches a menu option to accommodate “user requests through buttons, tabs, menus, mouse-clicks, and other interactive methods,” see Archer ¶ [0022], to implement the functionality of the I/O unit of Sharma. 

Regarding Claim 2
Sharma in view of Hufsmith, and further in view of Archer (“Sharma-Hufsmith-Archer”) discloses the system of claim 1, and Sharma further discloses
further comprising: an encryption component (¶ [0081], “Preferably, this obfuscation is accomplished with encryption and/or direct manipulation and translation of sensitive data into generic data that would be unhelpful to malicious users,” with the encryption achieved through an encryption component), implemented on the at least one processor (¶ [0026]), encrypts a security scan result prior to transmission to the user (¶ [0076], “For example, the static analysis module 408 can generate a security report [or result] 410 that indicates such paths as witnesses to security vulnerabilities. The security report 410 can be made to be available to a user in any suitable manner,” with the “suitable manner” involving encryption to conceal the report from “malicious users”).  
Regarding Claim 3
Sharma-Hufsmith-Archer discloses the system of claim 1, and Sharma further discloses 
1 …, 
wherein the user…2 (¶¶ [0078]-[0079]).
Archer further discloses
	1 wherein the single-command menu option further comprises a single click menu option associated with a graphical user interface (¶¶ [0022]-[0023], i.e., the graphical user interface that includes a menu comprises a single-command menu option where a click of a menu option represents a single click menu option),
	2 … performs a right mouse button click on a scan menu option associated with a graphical icon representing the selected source code (Sharma ¶¶ [0078]-[0079]) to initiate the security scanning of the selected source code (¶¶ [0022]-[0023], i.e., the use of a right mouse button click to initiate a desired, such as scanning, is obvious within the art).
	Regarding the combination of Sharma and Archer, the rationale to combine is the same as provided from claim 1 due to the overlapping subject matter between claims 1 and 3.
Regarding Claim 4
Sharma-Hufsmith-Archer discloses the system of claim 1, and Sharma further discloses 
wherein …1 comprising a JAVA client (¶ [0036], “Computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object-oriented programming language such as Java™,...,” with the use of JAVA creating a JAVA client) accepting a user name and a directory containing the selected source code (Fig. 7, ¶¶ [0096]-[0099]).
Archer further discloses
	1 …the single-command menu option (¶¶ [0022]-[0023]) further comprises a command-line utility… (Fig. 2, ¶ [0022], “The GUI 105 can have multiple windows for communication [that incorporates a command-line utility] to and from the user.”)
Regarding the combination of Sharma and Archer, the rationale to combine is the same as provided from claim 1 due to the overlapping subject matter between claims 1 and 4.
Regarding Claim 6
Sharma-Hufsmith-Archer discloses the system of claim 1, and Sharma further discloses 
further comprising: an extraction component (Fig. 7, ¶ [0099], i.e., the information within the XML tags are extracted by an extraction component), implemented on the at least one processor (Fig. 2, ¶¶ [0027]-[0028]), extracts the user ID (Fig. 7, ¶¶ [0096]-[0099], i.e., extracting the company name from the <groupid> tag) from the selected source code (¶¶ [0098]-[0099], i.e., the company name is separated or extract[ed] from the portion of the ARSA file that is scanned as the source code) and 
identifies the user associated with the source code based on the user ID (Fig. 7, ¶¶ [0079], i.e., the company name within the <groupid> tag as the used ID serves to identif[y] the user associated with the source code to report the scan results to the “development team 500”).  
Regarding Claim 7
Sharma-Hufsmith-Archer discloses the system of claim 1, and Hufsmith further discloses 
further comprising: an email address associated with the user ID (¶¶ [0095]-[0096], “In some embodiments, the result engine 54 [of scanning engine 12] is configured to output the results of one or more calculations [as a summary scan] or determinations about container images or distributed applications, for instance, storing them in memory, causing the results to be presented to a user, for instance, in a user interface, like a dashboard a report, logging results, for instance, an alarm log, or causing a message to be sent to a developers email address or text message address,” an email address associated with the user ID that relates to the <groupid> tag (Sharma Fig. 7)), 
wherein the summary scan results report (¶¶ [0095]-[0096]) is transmitted to the email address for review by the user (¶ [0096], “…causing a message to be sent to a developers email address” for their review).
Regarding the combination of Sharma and Hufsmith, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the scanning system of Sharma to have included the e-mail feature of Hufsmith. One of ordinary skill in the art would have been motivated to incorporate the e-mail feature of Hufsmith because Sharma teaches “[t]he security report 410 can be made to be available to a user in any suitable manner,” see Sharma ¶ [0076], and teaches Hufsmith teaches the well-known use of an e-mail, see Hufsmith ¶ [0096], that comprises a “suitable manner.”
Regarding Independent Claim 9
Sharma discloses
A computer-implemented method for code security scanning (Fig. 5, ¶ [0079], “As depicted, the environment includes a Static Analysis Security Testing (SAST) tool or agent 506 that, as is well-known and as described above (e.g., FIG. 4), is used to scan source code to identify potential security vulnerabilities, and that provides developers with assistance to triage and fix those identified vulnerabilities), the computer-implemented method comprising: 
uploading, by a scan initiation component (¶¶ [0080]-[0082], i.e., the  “The generator tool [514 that acts as a scan initiation component], as will be described below, upload[ed]] for security scanning whenever needed;” and thus the “generator tool 514” acts as a scan initiation component), a selected source code (¶¶ [0078]-[0079], i.e., the “development team 500” select[s] the source code to be scanned within an “abstract program representation (APR);” see also Hufsmith ¶ [0073] that more directly discloses source code that is analyzed via a static analysis scanner) to a target directory (¶¶ [0098]-[0099], “FIG. 7 illustrates an example set of build artifacts located in [target] directory “C:\myApp” and created by the build system for a particular source code component.”) on condition a user (¶¶ [0078]-[0079], “development team 500”) initiates security scanning of the selected source code …1 (¶ [0079], “As depicted, the environment includes a Static Analysis Security Testing (SAST) tool or agent 506 that, as is well-known and as described above (e.g., FIG. 4), is used to scan source code to identify potential security vulnerabilities, and that provides developers with assistance to triage and fix those identified vulnerabilities,” i.e., for the source code to be scanned, it must necessarily be initiate[d], with such initiation occurring by a user within the “development team 500”), 
the selected source code including a user identifier (ID) appended to the selected source code (Fig. 7, ¶¶ [0096]-[0099], “The following provides a more concrete user identifier (e.g., the name within the tag <groupid>), and the pom.xml file via the use of tags serves to append the user identification to the source code as artifacts that are subject to the scanning); 
transferring, …2 , the selected source code from the target directory to a security scan component (Fig. 5, ¶ [0079], “As depicted, the environment includes a Static Analysis Security Testing (SAST) tool or agent 506 that [serves as a security scan component], as is well-known and as described above (e.g., FIG. 4), is used to scan source code to identify potential security vulnerabilities, and that provides developers with assistance to triage and fix those identified vulnerabilities;” and Fig. 5, ¶ [0079], “The static analysis tool 506 operates either on-premises, or in a cloud-based platform 508” that receives the source code (or source code as artifacts) when it is transferr[ed] via the illustrated network) …3; and 
4 -28-Docket No. 5422US02….  
Sharma doesn’t disclose
	1 … by selecting a single-command menu option,...
	2 …,by a listener component,…
	3 … in response to detecting a presence of the selected source code in the target directory,
	4 transmitting, by a results component, a summary scan results report to the user associated with the selected source code via an email account associated with the user on condition the security scanning of the selected source code is complete.
Hufsmith, however, discloses
	2 …,by a listener component,… (Fig. 1A, ¶¶ [0070]-[0073], “In some embodiments, the scan selector 46 [as a listener component] may receive the identified layer upon each call and select scanner application (or applications) 16 to scan various portions (or all) of the identified layer.”)
	3 … in response to detecting a presence of the selected source code in the target directory (¶¶ [0077]-[0079], “By way of example, scan selector 46 may recursively traverse a directory [that is target[ed]] of a given layer until an executable file is detect[ed]. Embodiments may then select a scanner based upon a file extension of that executable file.”),
	4 transmitting, by a results component (¶ [0068], “The scanning engine 12 may further include a schema translator 44, a scan selector 46, a layer of evaluator 50, a scan configurer 48, and a result engine 54 [that serves as a results component]”), a summary scan results report to the user associated with the selected source code via an email account associated with the user on condition the security scanning of the selected source code is complete (¶¶ [0095]-[0096], “In some embodiments, the result engine 54 [of scanning engine 12] is configured to output the results [within a report] of one or more calculations [as a summary scan] or determinations about container images or distributed applications, for instance, storing them in memory, causing the results to be presented to a user, for instance, in a user interface, like a dashboard a email address [or account] or text message address,” further noting a “result” implies the complet[ion] of a scan).
Archer, however, discloses
	1 … by selecting a single-command menu option,… (¶¶ [0022]-[0023], the GUI that includes a menu comprises a single-command menu option where a click of a menu executes a single command presented in the menu, and the mouse-click is used to select[] the single-command within the option[s] of the menu),
	Regarding the combination of Sharma and Hufsmith, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the scanning system of Sharma to have included the scanning feature of Hufsmith. One of ordinary skill in the art would have been motivated to incorporate the scanning feature of Hufsmith because Hufsmith discusses the problem of “development teams [] constantly updating/creating microservices in containers and deploying them to production multiple times a day,” see Hufsmith ¶ [0158], and the scanning feature employed within the system of Hufsmith (with its recursive ability) “[can be] expected to increase vulnerability awareness earlier in the workflow for container development, increase awareness of vulnerabilities in a more real time manner, increase collaboration between dev and sec ops teams, and provide a reliable mechanism that continuously updates and reports the latest information on vulnerabilities.”  See Hufsmith ¶ [0160].
	Regarding the combination of Sharma-Hufsmith and Archer, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed 
Regarding Claim 13
Sharma-Hufsmith-Archer discloses the computer-implemented method of claim 9
further comprising: …1.
a initiating a security scan (¶ [0079], “As depicted, the environment includes a Static Analysis Security Testing (SAST) tool or agent 506 that, as is well-known and as described above (e.g., FIG. 4), is used to scan source code to identify potential security vulnerabilities, and that provides developers with assistance to triage and fix those identified vulnerabilities,” i.e., for the source code to be scanned, it must necessarily be initiate[d], with such initiation occurring by a user within the “development team 500”) on the selected source code… (¶¶ [0078]-[0079])
Archer further discloses
	1 presenting a right mouse button menu option for …a via a single activation of a mouse button (¶¶ [0022]-[0023], “The GUI 105 can allow user requests through buttons, tabs, menus, mouse-clicks, and other user interactive methods,” noting Archer doesn’t explicitly disclose “a right mouse button menu option” and “a single activation of a mouse button,” but these limitations are routinely used in computing and would be  
Regarding Independent Claim 17
Sharma discloses
A computer program product (¶ [125], “The computer program product may be a product having program instructions (or program code) to implement one or more of the described functions”), comprising a computer usable medium (¶ [0125], “Those instructions or code may be stored in a computer readable storage medium”) having a computer readable program code embodied therein (¶ [0125]), 
the computer readable program code adapted to be executed (¶ [0126], “In a representative embodiment, the techniques are implemented in a special purpose computing platform, preferably in software executed by one or more processors.”) to implement a method for code security scanning (Fig. 5, ¶ [0079], “As depicted, the environment includes a Static Analysis Security Testing (SAST) tool or agent 506 that, as is well-known and as described above (e.g., FIG. 4), is used to scan source code to identify potential security vulnerabilities, and that provides developers with assistance to triage and fix those identified vulnerabilities.”), the method comprising: 
1…; 
a … initiating a security scan (¶ [0079], “As depicted, the environment includes a Static Analysis Security Testing (SAST) tool or agent 506 that, as is well-known and as described above (e.g., FIG. 4), is used to scan source code to identify potential security vulnerabilities, and that provides developers with assistance to triage and fix those identified vulnerabilities,” i.e., for the source code to be scanned, it must necessarily be initiate[d], with such initiation occurring by a user within the “development team 500”) on a selected source code… (¶¶ [0078]-[0079], i.e., the “development team 500” select[s] the source code to be scanned within an “abstract program representation (APR);” see also Hufsmith ¶ [0073] that more directly discloses source code that is analyzed via a static analysis scanner)
uploading, by a scan initiation component (¶¶ [0080]-[0082], i.e., the  “The generator tool [514 that acts as a scan initiation component], as will be described below, is the mechanism that automatically generates abstract program representations (APRs, each an APR 516) with respect to the source code component 502 of the application 504;” and  “In a preferred approach, an ARSA [Archive for Security Analysis] file for an APR is created by serializing the APR into a compact binary file format container that preferably contains only the data necessary for static application security analysis;” and ¶ [0103], “This enables the ARSA file to be sent [and thereby upload[ed]] for security scanning whenever needed;” and thus the “generator tool 514” acts as a scan initiation component)), the selected source code to a target directory on condition a user initiates security scanning of the selected source code…2 (¶ [0079], “As depicted, the environment includes a Static Analysis Security Testing (SAST) tool or agent 506 that, as is well-known and as described above (e.g., FIG. 4), is used initiate[d], with such initiation occurring by a user within the “development team 500”), 
the selected source code including a user identifier (ID) appended to the selected source code (Fig. 7, ¶¶ [0096]-[0099], “The following provides a more concrete example. In this embodiment, the APR is generated from the source code component by analyzing build artifacts (e.g., such as a Maven pom.xml file, an Ant build.xml file, or the like) to extract preferably the following information: the paths to the build outputs (e.g. *.jar, *.war, etc.), the path(s) to the source code directories,…,” i.e., the Project Object Model (“pom”) file provides the user identifier (e.g., the name within the tag <groupid>), and the pom.xml file via the use of tags serves to append the user identification to the source code as artifacts that are subject to the scanning); 
transferring, … 3, the selected source code from the target directory to a security scan component (Fig. 5, ¶ [0079], “As depicted, the environment includes a Static Analysis Security Testing (SAST) tool or agent 506 that [serves as a security scan component], as is well-known and as described above (e.g., FIG. 4), is used to scan source code to identify potential security vulnerabilities, and that provides developers with assistance to triage and fix those identified vulnerabilities;” and Fig. 5, ¶ [0079], “The static analysis tool 506 operates either on-premises, or in a cloud-based platform 508” that receives the source code (or source code as artifacts) when it is transferr[ed] via the illustrated network) …4; and 
…5.
Sharma doesn’t disclose
	1 outputting a right mouse button menu option for …a via a single activation of a mouse button;
	2 by clicking on a menu option associated with a mouse button,
3 …, by a listener component, ...
	4 … in response to detecting a presence of the selected source code in the target directory);
	5 transmitting, by a results component, a summary scan results report to the user associated with the selected source code via an email account associated with the user on condition the security scanning of the selected source code is complete.
Hufsmith, however, discloses
3 …, by a listener component, ... (Fig. 1A, ¶¶ [0070]-[0073], “In some embodiments, the scan selector 46 [as a listener component] may receive the identified layer upon each call and select scanner application (or applications) 16 to scan various portions (or all) of the identified layer.”)
	4 … in response to detecting a presence of the selected source code in the target directory (¶¶ [0077]-[0079], “By way of example, scan selector 46 may recursively traverse a directory [that is target[ed]] of a given layer until an executable file is detect[ed]. Embodiments may then select a scanner based upon a file extension of that executable file.”);
	5 transmitting, by a results component (¶ [0068], “The scanning engine 12 may further include a schema translator 44, a scan selector 46, a layer of evaluator 50, a scan configurer 48, and a result engine 54 [that serves as a results component]”), a summary scan results report to the user associated with the selected source code via an email account associated with the user on condition the security scanning of the selected source code is complete (¶¶ [0095]-[0096], “In some embodiments, the result engine 54 [of scanning engine 12] is configured to output the results [within a report] of one or more calculations [as a summary scan] or determinations about container images or distributed applications, for instance, storing them in memory, causing the results to be presented to a user, for instance, in a user interface, like a dashboard a report, logging results, for instance, an alarm log, or causing a message to be sent to a developers email address [or account] or text message address,” further noting a “result” implies the complet[ion] of a scan).
Archer, however, discloses
1 outputting a right mouse button menu option for …a via a single activation of a mouse button (¶¶ [0022]-[0023], “The GUI 105 can allow user requests through buttons, tabs, menus, mouse-clicks, and other user interactive methods,” noting Archer doesn’t explicitly disclose “a right mouse button menu option” and “a single activation of a mouse button,” but these limitations are routinely used in computing and would be obvious to one skilled in the art.  See See MPEP § 2141(III), stating “Prior art is not limited just to the references being applied, but includes the understanding of one of ordinary skill in the art. The prior art reference (or references when combined) need not teach or suggest all the claim limitations, however, Office personnel must explain why the difference(s) between the prior art and the claimed invention would have been obvious to one of ordinary skill in the art.”);
	2 … by clicking on a menu option associated with a mouse button (¶¶ [0022]-[0023], “The GUI 105 can allow user requests through buttons, tabs, menus, mouse-clicks, and other user interactive methods.”),
Regarding the combination of Sharma and Hufsmith, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the scanning system of Sharma to have included the scanning feature of Hufsmith. One of ordinary skill in the art would have been motivated to incorporate the scanning feature of Hufsmith because Hufsmith discusses the problem of “development teams [] constantly updating/creating microservices in containers and deploying them to production multiple times a day,” see Hufsmith ¶ [0158], and the scanning feature employed within the system of Hufsmith (with its recursive ability) “[can be] expected to increase vulnerability awareness earlier in the workflow for container development, increase awareness of vulnerabilities in a more real time manner, increase collaboration between dev and sec ops teams, and provide a reliable mechanism that continuously updates and reports the latest information on vulnerabilities.”  See Hufsmith ¶ [0160].
	Regarding the combination of Sharma-Hufsmith and Archer, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the scanning system of Sharma to have included the single-command menu option of Archer. One of ordinary skill in the art would have been motivated to incorporate the single-command menu option of Archer because Sharma discloses an “input/output (I/O) unit,” see Sharma ¶ [0027], and Archer teaches a menu option to accommodate “user requests through buttons, tabs, menus, mouse-clicks, and 
Regarding Dependent Claims 10 and 18
With respect to dependent claims 10 and 18, a corresponding reasoning as given earlier for dependent claim 2 applies, mutatis mutandis, to the subject matter of claims 10 and 18. Therefore, claims 10 and 18 are rejected, for similar reasons, under the grounds set forth for claim 2. 
Regarding Dependent Claim 11
With respect to dependent claim 11, a corresponding reasoning as given earlier for dependent claim 3 applies, mutatis mutandis, to the subject matter of claim 11. Therefore, claim 11 is rejected, for similar reasons, under the grounds set forth for claim 3. 
Regarding Dependent Claim 12
With respect to dependent claim 12, a corresponding reasoning as given earlier for dependent claim 6 applies, mutatis mutandis, to the subject matter of claim 12. Therefore, claim 12 is rejected, for similar reasons, under the grounds set forth for claim 6.
Regarding Dependent Claim 14
With respect to dependent claim 14, a corresponding reasoning as given earlier for dependent claim 4 applies, mutatis mutandis, to the subject matter of claim 14. Therefore, claim 14 is rejected, for similar reasons, under the grounds set forth for claim 4.

Regarding Dependent Claims 16 and 20
With respect to dependent claims 16 and 20, a corresponding reasoning as given earlier for dependent claim 7 applies, mutatis mutandis, to the subject matter of claims 16 and 20. Therefore, claims 16 and 20 are rejected, for similar reasons, under the grounds set forth for claim 7.	
B.	Claims 5, 8, 15, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Sharma in view of Hufsmith and Archer, and further in view of Sawhney et al. (US 2018/0121659, “Sawhney”).
Regarding Claim 5
Sharma-Hufsmith-Archer discloses the system of claim 1, and Sharma further discloses 
wherein …1 further comprises a web interface (¶¶ [0038]-[0039], “With this approach, an application instance can be hosted and made available from Internet-based resources that are accessible through a conventional Web browser [acting as a web interface] over HTTP.”) configured to enable upload of … 2 containing the selected source code to…3 (Fig. 5, ¶¶ [0078]-[0079], i.e., members of the “development team 500” use single-command menu option (of Archer) that is contained within a web interface to upload the selected source code to the “static analysis tool 506” that “operates … in a cloud-based platform 508.”) associated with the security scan component (Fig. 5, ¶ [0079]),
wherein the web interface (¶¶ [0038]-[0039]) accepts a web service call (¶¶ [0038]-[0039], “…in which client machines communicate [by executing a web service call] with an Internet-accessible Web-based portal executing on a set of one or more machines.”) to copy the selected source code (Fig. 5, ¶¶ [0078]-[0079]) into the scan queue (Hufsmith ¶ [0070], i.e., the request of the “development team 500” is completed by copy[ing] the source code into the scan queue so that a static analysis/scan can be completed). 
Archer further discloses
	1 …the single-command menu option… (¶¶ [0022]-[0023])
Hufsmith further discloses
3 …to a scan queue… (¶ [0070], i.e., the various layers, such as the “base layer” or the “top layer” are scanned at different times and a scan queue is formed based upon one layer being scanned before the other layer) 
Sharma-Hufsmith-Archer doesn’t disclose
	2 …a zip file …
Sawhney, however, discloses
	2 … a zip file…(¶¶ [0018]-[0019], “The binary image form could be wrapped in any packing format, such as zip, tar, self-archiving, Docker® image file…”)
Regarding the combination of Sharma and Hufsmith, the rationale to combine is the same as provided from claim 1 due to the overlapping subject matter between claims 1 and 5.
Regarding the combination of Sharma-Hufsmith and Archer, the rationale to combine is the same as provided from claim 1 due to the overlapping subject matter between claims 1 and 5.
Regarding the combination of Sharma-Hufsmith-Archer and Sawhney, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the scanning system of Sharma-Hufsmith-Archer 
Regarding Claim 8
Sharma-Hufsmith-Archer discloses the system of claim 1, and Sharma further discloses 
wherein the selected source code is…1 (Fig. 5, ¶¶ [0078]-[0079]) containing a set of files or at least one folder (¶¶ [0108]-[0110], “The above-described steps are applied to each ARSA file to be combined. It ensures that the same analysis result will occur (for the whole-application analysis) regardless of the loading order of the ARSA files,” i.e., the ARSA files can be uploaded via the zip file as disclosed by Sawhney).  
Sawhney further discloses
1 …a zip file…a ¶¶ [0018]-[0019], “The binary image form could be wrapped in any packing format, such as zip, tar, self-archiving, Docker® image file…” 
Regarding the combination of Sharma and Sawhney, the rationale to combine is the same as provided for claim 5 due to the overlapping subject matter between claims 5 and 8.
Regarding Dependent Claim 15
With respect to dependent claim 15, a corresponding reasoning as given earlier for dependent claim 5 applies, mutatis mutandis, to the subject matter of claim 15. Therefore, claim 15 is rejected, for similar reasons, under the grounds set forth for claim 5.
Regarding Dependent Claim 19
With respect to dependent claim 19, a corresponding reasoning as given earlier for dependent claim 8 applies, mutatis mutandis, to the subject matter of claim 19. Therefore, claim 19 is rejected, for similar reasons, under the grounds set forth for claim 8.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to D'ARCY WINSTON STRAUB whose telephone number is (303)297-4405.  The examiner can normally be reached on Monday-Friday 9:00-5:00 Mountain Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR B PATEL can be reached on (571)272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  



/D'Arcy Winston Straub/Examiner, Art Unit 2491                                                               


/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491