DETAILED ACTION
This Office Action is in response to the original application filed on 04/02/2018.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
3.	Claims 1-20 are pending.

Claim Interpretation
Claim 1 is a method claim, comprising of three steps: "obtaining, with one or more processors, a software asset [...]", "calling, with one or more processors, an audit smart contract with a request [...]", and “receiving, with one or more processors, a response from the audit smart contract [...]".

It is noted a significant portion of the language in claim 1, and its dependents, is directed to what an “audit smart contract” is “configured to” do.  That is, the language is a recitation of function attempting to limit the structure of an “audit smart contract”.  However, it is noted that the “audit smart contract” is not part of claim 1.  Claim 1 is a method claim.  Nor is the “audit smart contract” an entity performing any of the steps of claim 1.  The “audit smart contract” is merely a target object of two of the method steps, one step where the “smart contract” is “call[ed]” with a request (i.e., the method step is sending a request to the “audit smart contract”), and one step where the request’s reply is received from the audit smart contract.  Thus, the vast majority of the language directed to limiting the structure of the audit smart contract does not affect the scope of any of the steps of the method.  That is, what the smart contract is or is not configured to do has no effect on what is or is not required by “calling” or “receiving” communications with the smart contract, which would be dictated by the communication interface or protocol.  Independent claim 17 is subject to the same interpretation because it is a Beauregard-style claim comprising instructions which, when executed, effectuate the method.
	Thus, for purposes of further examination and to expedite prosecution, the examiner will consider these claims to be a hybrid claim that incorporate both a method and the smart contract.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

4.	Claims 4-5, 12-13, 15-16 are rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.
Claim 1 is a method claim, comprising of three steps: "obtaining, with one or more processors, a software asset [...]", "calling, with one or more processors, an audit smart contract with a request [...]", and “receiving, with one or more processors, a response from the audit smart contract [...]".
In order to comply with the requirements of 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, the dependent claims should further limit the subject matter of their parent claim. However, these dependent claims fail to further limit any of these limitations and therefore fails to further limit the method from which the claims depend.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences 

5.	Claims 1-9, 11-12, 16-20 are rejected under 35U.S.C 103 as being unpatentable over Anderson et al (US Patent 8,677,315), in view of Stanley et al (US 20150379510),  and further in view of Stahlberg et al (US Patent 8863085), hereinafter Stahlberg. 

	Regarding claims 1 and 17:
	Anderson discloses obtaining, with one or more processors, a software asset subject to an audit requirement; a request to indicate whether the audit requirement has been satisfied the promotion configurations can define requirements or instructions for passing to the next stage (e.g. build to an application, deploy to a first environment, promote from Alpha to Development stage or the like). The continuous deployment system can allow users to set up automated test workflows to verify and approve the changes at each stage. Then the promotion configuration moves the latest approved changes to the next stage in the pipeline (Anderson, column 2, [lines 49-57]).
	Access a trust record published in a blockchain to determine whether the audit requirement has been satisfied, the trust record is caused to be published to the blockchain by an auditing entity that performed the audit the approval workflow can include automated tests for the environment revision. For example, test programs or test scripts can be run against the environment revision to test the behavior of the environment revision (Anderson, column 5, [lines 33-37]). Examiner interpretation: Access tests is access a trust record published. 
An identification a type of the audit that distinguishes the type of audit from a plurality of other types of audits, an identity of an auditing entity that performed the audit, a result of the audit that specifies whether the audit was passed by the software asset In one embodiment, the deployment environment 125 can include one or more computing nodes configured to emulate computer hardware of the production environment. For example, the continuous deployment system 100 can use one or more computing nodes or testing modules 127 that can execute and test software programs (Anderson, column 3, [lines 39-55]), and further “at block 625, the continuous deployment system 100 determines whether the one or more software tests have been passed (e.g., functionality tests, bug tests, performance tests, compliance tests, etc.). If the tests were not passed, the continuous deployment system 100 can end the deployment process 600. If the tests were passed, the deployment process proceeds to block 630 (Anderson, column 11, [lines 21-32]).
And the audit smart contract is configured to determine whether the trust record establishes that the audit requirement has been satisfied; and receiving, with one or more processors, a response from the audit smart contract indicating whether the audit requirement has been satisfied by an audit performed by an entity with authority to perform the audit For example, automated tests may be performed and, if passed, the continuous deployment system 100 can then notify the user in charge of the software release that the release is ready for deployment (Anderson, column 6, [lines 4-10]), and further  “Automatic approval may be granted if the one or more software tests are passed. In some cases, the continuous deployment system 100 may be configured to delay approving the software package until certain criteria are met, such as waiting for a particular time or waiting for a scheduled event to occur (Anderson, column 11, [lines 54-60]). 
However, Anderson fails to teaches  calling, with one or more processors an audit smart contract with wherein: the audit smart contract is configured to, the trust record contains a cryptographically signed indication of:, a date when the audit was completed or performed, and a hash digest of the software asset upon which the audit was performed, a cryptographic signature of the cryptographically signed indication is based on a private cryptographic key of the auditing entity, or a certificate authority that has verified the trust record is from the auditing entity and has not been tampered with since being formed by the auditing entity at a time of signing; the audit smart contract is configured to obtain the audit requirement, the audit smart contract is configured to determine whether the auditing entity is -80-US20180295US1 / 043979-0458268 4817-6269-8848.v1an entity with authority to perform the audit under the audit requirement, the audit smart contract is configured to verify whether the cryptographic signature of the trust record demonstrates the trust record is from the auditing entity and has not been tampered with since signing based on a public cryptographic key corresponding to the private cryptographic key, 
Stanley discloses calling, with one or more processors an audit smart contract with wherein: the audit smart contract is configured to, the trust record contains a cryptographically signed a key is generated by the data producer invoking the Smart Contract to automate a post a sample of prepared data of a data producer to the public ledger of the block chain for any prospective data buyer to view. In a variant of the typical embodiment an encrypted key is shared with a prospective data buyer via the block chain (Stanley, paragraph 85). And a hash digest of the software asset upon which the audit was performed, a cryptographic signature of the cryptographically signed indication is based on a private cryptographic key of the auditing entity, or a certificate authority that has verified the trust record is from the auditing entity and has not been tampered with since being formed by the auditing entity at a time of signing; the audit smart contract is configured to obtain the audit requirement, the audit smart contract is configured to determine whether the auditing entity is -80-US20180295US1 / 043979-0458268 4817-6269-8848.v1an entity with authority to perform the audit under the audit requirement, the audit smart contract is configured to verify whether the cryptographic signature of the trust record demonstrates the trust record is from the auditing entity and has not been tampered with since signing based on a public cryptographic key corresponding to the private cryptographic key message authentication involves hashing the message to produce a “digest and encrypting the digest with the private key to produce a digital signature. Thereafter anyone can verify this signature by (1) computing the hash of the message, (2) decrypting the signature with the signer's public key, and (3) comparing the computed digest with the decrypted digest. Equality between the digests confirms the message is unmodified since it was signed, and that the signer, and no one else, intentionally performed the signature operation presuming the signer's private key has remained secret to the signer (Stanley, paragraph 80). It would have been obvious to one having ordinary skill in the art before the effecting filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effecting filling date of the claimed invention would have been motivated to incorporate teaching of Stanley into teaching of Anderson to enable the development and use of Smart Contracts to configure and manage changes to data distributed via a peer to peer network for a “data supply chain.”
Stahlberg discloses a date when the audit was completed or performed a session log may be generated that includes metadata of the test. The metadata may include a status of the test, a timestamp of the test, a number of attempted test runs of the test, a total time spent executing the test, a number of times the test has previously failed, or a number of times the test has previously succeeded (Stahlberg, column 10, [lines 41-46]). It would have been obvious to one having ordinary skill in the art before the effecting filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effecting filling date of the claimed invention would have been motivated to incorporate teaching of Stahlberg into teaching of Anderson to monitor and test application over the network within different platform and environment. Test result aggregation clarifies the source of the outage or issue during application lifecycle either before the deployment or after the deployment.
Regarding claim 2:
Anderson, Stanley and Stahlberg disclose the audit smart contract is configured to determine whether a plurality of audit requirements have been satisfied by a plurality of corresponding audits of the software asset based on one or more trust record published to the blockchain at event 5, if the approval workflow is passed and the environment revision is approved (automatically or manually), the environment revision is promoted to the next CDS stage. This stage can include different approval workflows and/or different deployment environments. For example, the Beta stage may have deployment environments that are configured to more closely match or duplicate the production environment than Alpha. In another example, the Beta stage may include all or most of the packages for the final software release, thereby allowing a more thorough or complete testing of the packages, for example, by allowing testing of the interactions between all the different packages (Anderson, column 5, [lines -65]), and further at event 6, a second approval workflow is applied to the environment revision. In some embodiments, the promotion to the destination (e.g., the production environment) may require manual approval (Anderson, column 6, [lines 1-2]).

Regarding claim 3:
Anderson, Stanley and Stahlberg disclose the audit smart contract is configured to determine whether audit criteria of at least some of the audit requirements have been superseded and reject an audit that was passed with previous audit criteria but did not apply the superseding audit criteria in some embodiments, the CDS system 100 can monitor whether a particular software revision has been approved as complying with a compliance policy applicable to the software. In some such embodiments, the CDS system 100 will not promote the revision to the next stage in the pipeline until a compliance approval is received. The compliance approval process may be automated (e.g., the revision is passed by a compliance module) or may be manual (e.g., a human manager has signed off on the revision (Anderson, column 10, [lines 20-28]), and further in response to a triggering even, such as failure or error in the deployment environment, the continuous deployment system 100 can roll back to the previously deployed software package or otherwise return the deployment environment to the state it was in before the deployment (Anderson, column 12, [lines 48-52]).

Regarding claim 4:
Anderson, Stanley and Stahlberg disclose the audit is an automated audit performed by an auditing application and the trust record is caused to be published to the blockchain by the auditing application the promotion configurations can define requirements or instructions for passing to the next stage (e.g. build to an application, deploy to a first environment, promote from Alpha to Development stage or the like (Anderson, column 2, [lines 47-53]).

Regarding claim 5:
Anderson, Stanley and Stahlberg disclose the auditing application applies verifiable computation executed on untrusted computing devices to determine whether at least some audit criteria are satisfied Public key algorithms, unlike symmetric key algorithms, do not require a secure channel for the initial exchange of one (or more) secret keys between the parties (Stanley, paragraph 78). It would have been obvious to one having ordinary skill in the art before the effecting filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effecting filling date of the claimed invention would have been motivated to incorporate teaching of Stanley into teaching of Anderson to enable the development and use of Smart Contracts to configure and manage changes to data distributed via a peer to peer network for a “data supply chain.”

Regarding claims 6, and 19:
the CDS system 100 can monitor whether a particular software revision has been approved as complying with a compliance policy applicable to the software. In some such embodiments, the CDS system 100 will not promote the revision to the next stage in the pipeline until a compliance approval is received. The compliance approval process may be automated (e.g., the revision is passed by a compliance module) or may be manual (e.g., a human manager has signed off on the revision) (Anderson, column 12, [lines 10-28]), and if the package build is successful, the deployment process proceeds to block 615. In some situations, the build may fail and the continuous deployment system 100 may then notify a user that the build failed. The continuous deployment system 100 may then end the deployment process 600 (Anderson, col 10 [line 56-62]).

Regarding claim 7 :
Anderson, Stanley and Stahlberg disclose wherein the audit determines whether the software asset is compliant with requirements of one or more of the following: the SAFETY Act; Federal Information Processing Standards; the Health Insurance Portability and Accountability Act; the General Data Protection Regulation; the Children's Online Privacy Protection Rule; a software license; or a security policy of an enterprise network a software compliance policy may be used to implement medical privacy standards under the Health Insurance Portability and Accountability Act (HIPAA), corporate accounting standards under the Sarbanes-Oxley act (SOX), fraud prevention standards under the Payment Card Industry (PCI) data security standards, information security standards under the Federal Information Security Management Act (FISMA) (Anderson, column 10, [lines 14-20]).

Regarding claim 8:
Anderson, Stanley and Stahlberg disclose the audit smart contract is configured to access a manifest of the software asset to determine a dependency of the software asset; the audit smart contract at event 2, packages are built into an application. In one embodiment, the application is a revision controlled dependency closure that includes all the other software packages depended upon by the modified source code to function. Generally, a revision is a set of changes. Software packages having changes are built into an application to create an application revision (Anderson, column 4, [lines 59-65]).

Regarding claim 9:
Anderson, Stanley and Stahlberg disclose the audit smart contract is configured to recursively crawl a constituency graph of the software asset and determine whether each constituent software asset of the constituency graph satisfies the audit requirement to obtain audit-compliance transitive closure; and  -82-US20180295US1 / 043979-0458268 4817-6269-8848.v1at least some constituent software assets have audits published to the blockchain in different trust records and by different auditing entities a change progress interface screen 400 to the continuous deployment system 100 displaying the progress of the changes to a software project. In one embodiment, changes can be grouped by progress. The groups can be sorted by package name or chro- 20 nologically. The progress interface Screen 400 can display the number of changes made in the package, when the changes were made, who made the changes, and what changes were made. For example, the screen 400 can include progress bars 405 that show where changes have been made during the 25 continuous deployment stages (e.g., changes to an applica tion and/or to a Beta stage). The user can manipulate the screen 400 to show different views, for example, by filtering the displayed data (Anderson, Fig.4, column 9, [lines 15-28]).

Regarding claim 11:
Anderson, Stanley and Stahlberg disclose the audit requirement is cause to be published to the blockchain by an entity that creates rules for which the audit determines compliance; the audit requirement is cryptographically signed by the entity that creates rules for which the audit determines the promotion configurations can define requirements or instructions for passing to the next stage (e.g. build to an application, deploy to a first environment, promote from Alpha to Development stage or the like). The continuous deployment system can allow users to set up automated test workflows to verify and approve the changes at each stage. Then the promotion configuration moves the latest approved changes to the next stage in the pipeline” (Anderson, column 2, [lines 49-56]), and further For example, in response to a triggering even, such as failure or error in the deployment environment, the continuous deployment system 100 can rollback to the previously deployed software package or otherwise return the deployment environment to the state it was in before the deployment (col 12, lines 52-58]).

Regarding claim 12:
Anderson, Stanley and Stahlberg disclose the trust record comprises an off-chain portion that is not written to the blockchain and on-chain portion that includes a hash digest of data including the off-chain portion the CDS system 100 can monitor whether a particular software revision has been approved as complying with a compliance policy applicable to the software. In some such embodiments, the CDS system 100 will not promote the revision to the next stage in the pipeline until a compliance approval is received. The compliance approval process may be automated (e.g., the revision is passed by a compliance module) or may be manual (e.g., a human manager has signed off on the revision) (Anderson, column 10, [lines 20-28]), and further If the package build is successful, the deployment process proceeds to block 615. In some situations, the build may fail and the continuous deployment system 100 may then notify a user that the build failed. The continuous deployment system 100 may then end the deployment process 600 (Anderson, col 10, [line 56-62]).


Anderson, Stanley and Stahlberg disclose the audit smart contract comprises a script encoding logic of the audit smart contract; the script is executed by each of a plurality of computing nodes to produce respective candidate responses from respective computing nodes; and the computing nodes execute a consensus protocol to determine the response from the candidate responses the approval workflow can include automated tests for the environment revision. For example, test programs or test scripts can be run against the environment revision to test the behavior of the environment revision. Multiple tests can be run to test particular functionality or to verify that previous bugs have not been reintroduced. In one embodiment, the approval workflow contains separate configurable steps. Each step can correspond to a discrete test (Anderson, column 5, [lines 33-38].

Regarding claim 16:
Anderson, Stanley and Stahlberg disclose steps for determining whether an audit requirement has been satisfied with an audit smart contract at event 7, an approved revision is promoted to the production stage (referred to as "Production" in FIG. 2). The promotion may be initiated by a manual approval, a timer, a scheduled event, a time window or other deployment conditions being satisfied (Anderson, column 6, [lines 13-17]).

Regarding claim 18:
Claim 18 is rejected under the same reason set forth in rejection of claims 2 and 3 combined.

Regarding claim 20:
Claim 20 is rejected under the same reason set forth in rejection of claims 7 and 8 combined.

6.	Claims 10, 13 are rejected under 35U.S.C 103 as being unpatentable over Anderson et al (US Patent 8,677,315), in view of Stanley et al (US 20150379510),  Stahlberg et al (US Patent 8863085), and further in view of Lesavich et al (US  20160321654), hereinafter Lesavich.


Anderson, Stanley, Stahlberg, and Lesavich disclose the trust assertions of the trust record are published to the blockchain by a blockchain oracle that cryptographically signs the trust assertions the blockchain 230 includes plural blocks 232, 234, 236 (only three of which are illustrated) which include one or more items, and plural trans actions 238, 240 (only two of which are illustrated). Exemplary transaction 238 includes, for example, includes taking Owner-B's public key for block 232 in blockchain 230, running it through a hash algorithm (e.g., SHA-256, etc.) and obtaining Owner-A’s digital signature, Owner-B signs the block 232 with its private key and Owner-B's signature is verified on the next block 234, etc. Transaction 240 includes identical steps as was illustrated in transaction 238 (Lesavich, pargraph 389), and further at Step 246, the cloud application securely stores the received one or more new blocks in the block chain in one or more cloud storage objects (Lesavich, pargraph 390). It would have been obvious to one having ordinary skill in the art before the effecting filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effecting filling date of the claimed invention would have been motivated to incorporate teaching of Lesavich into teaching of Anderson to determine the validity and trust of the source and moving the software to next stage based on the obtained result.

Regarding claim 13:
Anderson, Stanley, Stahlberg and Lesavich disclose the off-chain portion comprises a human-readable natural language audit report with evidence of compliance or non-compliance and the on-chain portion comprises a plurality of trust assertions based on the audit encoded in a machine-readable structured data format the set of symbols include the letters a-z and A-Z, punctuation characters and/or keyboard characters (e.g., @, #, $, %, etc.). in the English alphabet, the set of symbols includes American Standard Code for Information Interchange (ASCII) symbols for an ASCII encoded binary alphabet (see, e.g., RFC 4880), the set of symbols includes the numbers zero through 15 and the characters a-f and A-F for a hexadecimal alphabet (Lesavich, paragraph 305). It would have been obvious to one having ordinary skill in the art before the effecting filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art  determine the validity and trust of the source and moving the software to next stage based on the obtained result.

7.	Claim 15 is rejected under 35U.S.C 103 as being unpatentable over Anderson et al (US Patent 8,677,315), in view of Stanley et al (US 20150379510),  Stahlberg et al (US Patent 8863085), and further in view of Peter et al (US 20170287090),hereinafter Peter.

Regarding claim 15:
Anderson, Stanley, Stahlberg and Peter disclose the consensus protocol is an implementation of the Raft consensus protocol; the blockchain comprises blocks with respective Patricia tries having the trust record published in one or more leaf nodes of a given Patricia trie of a given block of the blockchain; and the computing nodes are addressed in a peer-to-peer network with a distributed hash table system , similar to the contract State Transitioning System , uses a Merkle tree or , preferably , a Directed Acyclic Graph ( DAG ) that includes content - addressed objects with Merkle links con necting the objects , as indicatively shown in FIGS . 9 and 10 (Peter, paragraph 154), and any object type, data, properties, metadata pertaining to objects, may be stored in the DAG. A Merkle edge / link is a cryptographic graph edge hash ( e . g . , SHA - 3 , SHA - 256 ) referencing or otherwise defining a relationship with another object and represented by the hash of the target object , and embedded in the source object (Peter, paragraph 104), and further arbitrarily consensus algorithm / logic ( where appropriate ) to automate the state transition , including ( but are not limited to ) Practical Byzantine Fault Tolerance ( PBFT ) , PAXOS , RAFT , between contracting parties or all users of the system to validate state changes to contracts (Peter, paragraph 101). It would have been obvious to one having ordinary skill in the art before the effecting filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effecting filling date of the claimed invention would have been motivated to incorporate teaching of Peter into teaching of Anderson to assemble, manage, and analyze legal contracts.

Conclusion
Any inquiry concerning this communication from the examiner should be directed to Thanh Le whose telephone number is 571-272-8556. The examiner can normally be reached on Monday-Friday 8:00a.m to 5p.m. EST
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor Nickerson Jeffrey can be reached on (469) 295-9235.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either obtained from either Private PAIR or Public PAIR. Status information for unpublished application is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov . Should you have question on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automatic information system, call 800-786-9199 (In USA or CANADA) or 571-272-1000.

/THANH H LE/             Examiner, Art Unit 2432  

/Jeffrey Nickerson/             Supervisory Patent Examiner, Art Unit 2432