Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
DETAILED ACTION
This action is in response to original filings made on 3/10/2020. Claims 1-20 are pending. 
Specification (Title)
The title of the invention is not descriptive.  A new title is required that is clearly indicative of the invention to which the claims are directed. 
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 12-15 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The examiner notes that claim 12 is directed towards a computer program product comprising one or more computer readable storage media. An ordinary skill in the art will define the computer readable storage media to include signal and/or carrier wave. Signal and/or carrier wave are non-statutory subject matter. To overcome the rejection to claim 12 under 35 USC 101, examiner suggests adding the limitation "non-transitory" limitation before "computer readable storage media" in the preamble. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Xiao et al. (US Patent Publication No. 2013/0152154 and Xiao hereinafter) in view of Bettini et al. (US Patent No. 8,819,772 and Bettini hereinafter).

As to claims 1, 12 and 16, Xiao teaches a computer-implemented method comprising: 
and responsive to identifying one or more instances of confidential information (i.e., ..teaches in par. 0004 the following: “The static analysis module performs static analysis on the program to identify at least one flow of private information” … further teaches in par. 0030 the following: “the private information may constitute information that pertains to the user, such as information that reveals the location of the user, information that identifies the contacts of the user, information associated with documents or files created by, maintained by, or otherwise associated with the user, and so forth.”)) , 
performing, by one or more computer processors, one or more remedial actions (i.e., …teaches in par. 0047 the following: “anonymized data instead of the actual data. The anonymized data represents "fake" or dummy information substituted in place of the actual data, such as a meaningless dummy location substituted in place of the actual location of the user. A user may opt to use 

Xiao does not expressly teach:
storing, by one or more computer processors, a pushed codebase associated with a user to an isolated quarantine area, 
wherein access to the quarantine area is restricted to the user through user interface code visibility enforcement and protocol code visibility enforcement;
dynamically adjusting, by one or more computer processors, a timeout period based on codebase complexity, user preferences, associated dependencies, codebase size, minimum execution temporal period for one or more scans, and system specifications. 

In this instance the examiner notes the teachings of prior art reference Bettini.
With regards to applicant’s claim limitation element of, “storing, by one or more computer processors, a pushed codebase associated with a user to an isolated quarantine area”, Bettini teaches as part of his claim 1 features the following: “a hardware processor of an inline filtering device configured to: intercept a request for downloading an application to a mobile device; quarantine the application at the inline filtering device until receipt of an acknowledgement of potential threats associated with the application are presented in a display on the mobile device, …”.
With regards to applicant’s claim limitation element of, “wherein access to the quarantine area is restricted to the user through user interface code visibility enforcement and protocol code visibility enforcement”, Bettini teaches as part of his claim 1 features the following: “a hardware processor of an inline filtering device configured to: intercept a request for downloading an application to a mobile device; quarantine the application at the inline filtering device until receipt of an acknowledgement of 
With regards to applicant’s claim limitation element of, “dynamically adjusting, by one or more computer processors, a timeout period based on codebase complexity, user preferences, associated dependencies, codebase size, minimum execution temporal period for one or more scans, and system specifications”. Bettini teaches in col. 10 lines 1-15 the following: “the corporate IT team of ACME Corporation can have one or more users that have accounts with access to the platform. The corporate IT team can also configure their account to have specific IT requirements for apps scanned on behalf of ACME Corporation (e.g., custom scanning, and/or custom reporting requirements, such as based on security requirements, privacy requirements, and/or various other criteria as described herein). The corporate IT team can also create scripts that automatically query the platform for reports on apps being considered for adding to the enterprise app store, including existing apps (e.g., previously scanned apps), updated versions of existing apps, and/or new apps. Using these techniques, the corporate IT team can effectively manage the enterprise app store to ensure that the apps available in the enterprise app store satisfy their corporate IT requirements (e.g., security, privacy, device integrity, network integrity, etc.).”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Xiao with the teachings of Bettini by including the feature of quarantine code scanning. Utilizing quarantine code scanning as taught by Bettini above allows a system to provide comprehensive code authentication and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Xiao's system will obtain the capability to provide enhanced code filtering. 

As to claim 2, the system of Xiao and Bettini as applied to claim 1 above, specifically Xiao does not expressly teach a method of claim 1, wherein identifying one or more instances of confidential information contained in the stored codebase within the timeout period, comprises: creating, by one or more computer processors, a virtual filesystem containing a containerized representation of the stored codebase; 
and performing, by one or more computer processors, one or more server-side scans on the created virtual filesystem.
In this instance the examiner notes the teachings of prior art reference Bettini. 
With regards to applicant’s claim limitation element of, “creating, by one or more computer processors, a virtual filesystem containing a containerized representation of the stored codebase;”, 
Bettini teaches in col. 22 lines 40-50 the following: “the app can be cached/quarantined by the filtering device, or partially held (e.g., throttle a download of the app), such that the complete content of the app is not allowed to fully transfer to the mobile device in this scenario pending results of the analysis of the app being received and evaluated …”.
With regards to applicant’s claim limitation element of, “and performing, by one or more computer processors, one or more server-side scans on the created virtual filesystem”, Bettini teaches scanning the application as part of his claim 1 feature(s).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Xiao with the teachings of Bettini by including the feature of quarantine code scanning. Utilizing quarantine code scanning as taught by Bettini above allows a system to provide comprehensive code authentication and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Xiao's system will obtain the capability to provide enhanced code filtering. 

As to claims 3, 13 and 17, the system of Xiao and Bettini as applied to claim 1 above, specifically Xiao teaches a method of claim 1, wherein the confidential information represents API keys, database connection strings, IP addresses, certificates, encryption keys, Oauth tokens, PEM files, passwords, personal data, environment variables, and passphrases (i.e., …teaches in par. 0030 the following: “the private information may constitute information that pertains to the user, such as information that reveals the location of the user, information that identifies the contacts of the user, information associated with documents or files created by, maintained by, or otherwise associated with the user, and so forth.”).

As to claim 4, the system of Xiao and Bettini as applied to claim 1 above, specifically Xiao teaches a method of claim 1, wherein responsive to identifying the one or more instances of confidential information (i.e. …teaches in par. 0042 the following: “which alerts the user to flows of private information”.)., 
performing the one or more remedial actions, comprises: sending, by one or more computer processors, a notification containing scan results containing the identified confidential information, identified security vulnerabilities, remedial actions, and associated generated risk scores (i.e. …teaches in par. 0042 the following: “which alerts the user to flows of private information”. …teaches in par. 0075 the following: “the static analysis module 302 expresses its conclusions as flow information and sends that flow information to a user for inspection.”.).

As to claims 5, 14 and 18, the system of Xiao and Bettini as applied to claim 1 above, specifically Xiao teaches a method of claim 1, further comprising: obfuscating, by one or more computer processors, the identified one or more instances of confidential information (i.e., …teaches in par. 0047 the following: “anonymized data instead of the actual data. The anonymized data represents "fake" or 

As to claims 6, 15 and 19, the system of Xiao and Bettini as applied to claim 1 above, specifically Xiao does not expressly teach a method of claim 1, further comprising: generating, by one or more computer processors, a risk value representing consequences of a publicly published stored codebase.
In this instance the examiner notes the teachings of prior art reference Bettini. 
Bettini teaches in col. 15 lines 15-25 the following: “the app risk assessment can include an app reputation score…”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Xiao with the teachings of Bettini by including the feature of code risk assessment. Utilizing code risk assessment as taught by Bettini above allows a system to provide comprehensive code scanning and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Xiao's system will obtain the capability to provide enhanced code authentication. 

As to claim 7 the system of Xiao and Bettini as applied to claim 1 above, specifically Xiao teaches a method of claim 1, further comprising: encrypting, by one or more computer processors, the identified one or more instances of confidential information (i.e. ….teaches in par. 117 the following: “The functionality can also provide suitable security mechanisms to ensure the privacy of the user data (such as data-sanitizing mechanisms, encryption”.).

As to claim 8, the system of Xiao and Bettini as applied to claim 1 above, specifically Xiao does not expressly teach a method of claim 1, wherein the protocol code visibility enforcement, comprises: 
In this instance the examiner notes the teachings of prior art reference Bettini. 
Bettini teaches in col. 26 lines 20-35 the following: “determines at 1024 whether or not the app should be permitted for download to the client device 1002 based on the app analysis results 1018. If the app is not permitted for download to the client device 1002 based on the app analysis results 1018, then the app download is rejected at 1036 as communicated to the device 1002 at 1026 (e.g., a notification can be communicated to the device 1002 informing the user that the app cannot be downloaded due to the app analysis for the app and an app risk profile associated with the device). …”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Xiao with the teachings of Bettini by including the feature of code access control. Utilizing code access control as taught by Bettini above allows a system to provide comprehensive code security and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Xiao's system will obtain the capability to provide enhanced system access control. 

As to claim 9, the system of Xiao and Bettini as applied to claim 1 above, specifically Xiao does not expressly teach a method of claim 1, where user interface code visibility enforcement, comprises: preventing, by one or more computer processors, one or more source code version clients from presenting the stored codebase to one or more unpermitted users.
In this instance the examiner notes the teachings of prior art reference Bettini. 
Bettini teaches in col. 26 lines 20-35 the following: “determines at 1024 whether or not the app should be permitted for download to the client device 1002 based on the app analysis results 1018. If the app is not permitted for download to the client device 1002 based on the app analysis results 1018, 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Xiao with the teachings of Bettini by including the feature of code access control. Utilizing code access control as taught by Bettini above allows a system to provide comprehensive code security and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Xiao's system will obtain the capability to provide enhanced system access control. 

As to claims 10 and 20, the system of Xiao and Bettini as applied to claim 1 above, specifically Xiao does not teach a method of claim 1, further comprising: redirecting, by one or more computer processors, unpermitted users pulling the stored codebase to a public codebase.
In this instance the examiner notes the teachings of prior art reference Bettini. 
Bettini teaches in col. 26 lines 20-35 the following: “determines at 1024 whether or not the app should be permitted for download to the client device 1002 based on the app analysis results 1018. If the app is not permitted for download to the client device 1002 based on the app analysis results 1018, then the app download is rejected at 1036 as communicated to the device 1002 at 1026 (e.g., a notification can be communicated to the device 1002 informing the user that the app cannot be downloaded due to the app analysis for the app and an app risk profile associated with the device). …”. The examiner contends that the notification would allow the user to revisit the app store to view other available apps. 


As to claim 11, the system of Xiao and Bettini as applied to claim 1 above, specifically Xiao does not expressly teach a method of claim 1, further comprising: allowing, by one or more computer processors, the user to pull the stored codebase from the quarantine area.
In this instance the examiner notes the teachings of prior art reference Bettini. 
Bettini teaches in col. 24 lines 1-15 the following: “the in-line filtering device can be configured to block the transfer (e.g., prevent the complete download) of the requested app to the mobile device if the app is known to be malicious (e.g., was determined by the app analysis system to be malicious, such as including malware or violating some other aspect of a malware policy) and/or to have other issues of concern. As another example, the in-line filtering device can be configured to quarantine the app for further analysis, for IT approval for an entity associated with the mobile device, for approval by a user of the mobile device after acknowledgement of potential threats associated with the app are presented in a display on the mobile device to the user, and/or some other action(s) can be performed based on various configurations. …”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Xiao with the teachings of Bettini by including the feature of quarantine code scanning. Utilizing quarantine code scanning as taught by Bettini above allows a system to provide comprehensive code authentication and therefore provides the motivation in 
Art Made of Record
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Hair III et al. (US Patent Publication No. 2006/0173704).
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN F WRIGHT whose telephone number is (571)270-3826.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.