DETAILED ACTION
1.	Claims 9-14, 16-20 are pending in this examination. Claims 1-6 and 8 have been cancelled. 
Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
3..	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Allowable Subject Matter
4.	Claims 10-14 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Response to Arguments 	
5.1.		Applicant’s arguments filed 9/29/2021 have been fully considered but they are not persuasive.
5.2.	Applicant’s Response applicant argues, in substance that “ Applicant respectfully submits that none of the cited references show or suggest adding vulnerabilities detected in the head branch to the vulnerabilities stored in the database for the base branch based on a determination that a latest scan of the base branch failed to detect the vulnerabilities in the base branch as found in claim 9 or storing an indication that the 
5.3.	The Examiner respectfully disagrees with Applicant’s arguments. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
The examiner submits that the combination of Mallisetty, Mueller and Russell discloses above features. For example Mueller discloses a database which storing the vulnerability;  determining that a vulnerability stored in the database for the previous version of the branch of computer code is not in the received vulnerabilities for the last-committed version of the branch of computer code (9:1-30, … delta can be caused by the absence of the issue which was found in the previous load.., also see 7:20-50); in response, instructing an issue tracker to close an issue opened for the vulnerability for the branch of code (9:20-30, issues where the status needs to change to "Deleted" /close because they are no longer present in the latest scan also see 9:55-65, closed, 4:5-20, issued was resolved).
Russell discloses adding vulnerabilities detected in the head branch to the vulnerabilities stored in the database for the base branch based on a determination that a latest scan of the base branch failed to detect the vulnerabilities in the base branch; or storing an indication that the vulnerability is present in the base branch when a latest scan of the base branch failed to detect that the vulnerability was in the base branch ([0020]-[0021], Vulnerability manager 20 may cause the results to be populated into results database 38 (for example, if scan engine 14 fails to return the results to results database 38), 

 
    PNG
    media_image1.png
    396
    441
    media_image1.png
    Greyscale


    PNG
    media_image2.png
    205
    427
    media_image2.png
    Greyscale


Therefore, in view of the above reasons, the rejections are maintained.

Claim Rejections - 35 USC § 103
6.1.	The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

6.2.	Claims 9 and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over  US Patent Application No. 20160291970 to Mallisetty et al (“Mallisetty”) in view of US Patent No. 10579803 to Mueller et al (“Mueller”), further in view of US Patent Application No. 20130167238  to Russell et al (“Russell”).

As per claim 9, Mallisetty discloses a computer server comprising: a memory containing instructions and a database comprising vulnerabilities detected in a previous version of a branch of computer code and vulnerabilities detected in a base branch and a head branch of computer code ([0052], Items 216-222 are repeated for each additional code branch in the subset of additional code branches (230). Thus, for each additional code branch, the application and test source code (including the new source code that has been automatically checked in) is compiled, testing is performed against the new build to determine code coverage data, and the patch integrator 20 stores that code coverage data in the code coverage repository 22. A code coverage analysis is performed for the given code branch and the subset of additional code branches, and if needed a deficiency);
receiving an indication that a commit of a merge of the head branch into the base branch has been received ([0049]-[0050], The APIs could be used to obtain metadata of the source code (e.g., the defect ID that the code is associated with). The patch 
Mallisetty does not explicitly disclose however in the same field of endeavor, Mueller discloses a processor executing the instructions in the memory to perform steps comprising: receiving vulnerabilities detected in a last-committed version of the branch of computer code (col. 9, Lines 1-25, also see fig. 4 and associated texts);
 	determining that a vulnerability stored in the database for the previous version of the branch of computer code is not in the received vulnerabilities for the last-committed version of the branch of computer code (9:1-30, … delta can be caused by the absence of the issue which was found in the previous load.., also see 7:20-50); in response, instructing an issue tracker to close an issue opened for the vulnerability for the branch of code (9:20-30, issues where the status needs to change to "Deleted" /close because they are no longer present in the latest scan also see 9:55-65, closed, 4:5-20, issued was resolved).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Mallisetty with the teaching of Mueller by including the feature of issue tracker, in order for Mallisetty’s system for management of software application issues such as software application vulnerabilities or software quality. The method may comprise the steps of receiving software vulnerability data from a plurality of vulnerability scanning systems; automatically generating a unique vulnerability ID for a vulnerability using a plurality attributes of the vulnerability; comparing a current load of vulnerability data with a previous load of vulnerability data and generating a table of deltas; grouping 
Mallisetty does not explicitly disclose however in the same field of endeavor, Russell discloses adding vulnerabilities detected in the head branch to the vulnerabilities stored in the database for the base branch based on a determination that a latest scan of the base branch failed to detect the vulnerabilities in the base branch ([0020]-[0021], Vulnerability manager 20 may cause the results to be populated into results database 38 (for example, if scan engine 14 fails to return the results to results database 38), 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Mallisetty/Mueller with the teaching of Russell by including the feature of vulnerabilities stored in the database, in order for Mallisetty’s system for identifying a set of known vulnerabilities and a set of new vulnerabilities in an asset, selecting one or more scripts that include checks for vulnerabilities in a union of the set of known vulnerabilities and the set of new vulnerabilities, and using the selected scripts to scan the asset. Known vulnerabilities and new vulnerabilities may be identified by accessing results of previous scans on the asset. , as a result system easily detecting vulnerabilities as a result system will detecting application security vulnerabilities sooner to reduce costs and risk.


Mallisetty does not explicitly disclose however in the same field of endeavor, Mueller discloses a method comprising: a server executing an orchestration API receiving an indication that a merge of a head branch of computer instructions into a base branch of computer instructions has been committed to a version control repository ([0048]-[0050], patch integrator 20 determines that source code has been 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Mallisetty with the teaching of Mueller by including the feature of version, in order for Mallisetty’s system for management of software application issues such as software application vulnerabilities or software quality. The method may comprise the steps of receiving software vulnerability data from a plurality of vulnerability scanning systems; automatically generating a unique vulnerability ID for a vulnerability using a plurality attributes of the vulnerability; comparing a current load of vulnerability data with a previous load of vulnerability data and generating a table of deltas; grouping vulnerabilities into a group that can be managed and remediated on a group basis as a unit of work rather than individually; and automatically generating entries in the developer task tracking system for each vulnerability group or individual vulnerabilities for resolution (Mueller, abstract).
Mueller does not explicitly disclose however in the same field of endeavor, Russell discloses storing an indication that the vulnerability is present in the base branch when a latest scan of the base branch failed to detect that the vulnerability was in the base branch ([0020]-[0021], Vulnerability manager 20 may cause the results to be populated into results database 38 (for example, if scan engine 14 fails to return the results to results database 38), 
vulnerabilities stored in the database, in order for Mallisetty’s system for identifying a set of known vulnerabilities and a set of new vulnerabilities in an asset, selecting one or more scripts that include checks for vulnerabilities in a union of the set of known vulnerabilities and the set of new vulnerabilities, and using the selected scripts to scan the asset. Known vulnerabilities and new vulnerabilities may be identified by accessing results of previous scans on the asset. , as a result system easily detecting vulnerabilities as a result system will detecting application security vulnerabilities sooner to reduce costs and risk.

6.3.	Claims 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Mallisetty, Mueller and Russell as applied to claim above, and in view of US Patent Application No. 20180336356 to Papaxenopoulos et al (“Papaxenopoulos”).

	
As per claim 17, the combination of Mallisetty, Mueller and Russell discloses the invention as described above. Mallisetty discloses sources code, subset of branches codes and storing defect as well as open issues ([0049]-[0051], [0036]-[0037]). Furthermore, Mueller  discloses open an issues (9:1-25, also see fig. 4 and associated texts). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Mallisetty with the 
Mallisetty, Mueller and Russell does not explicitly disclose however in the same field of endeavor, Papaxenopoulos discloses the method of claim 16 further comprising determining that an issue for the head branch associated with the vulnerability was open before storing the indication that the vulnerability is present in the base branch ([0028]-[0031], also see fig. 1 and associated texts).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Mallisetty/Mueller/ Russell with the teaching of Papaxenopoulo by including the feature of vulnerability is present, in order for Mallisetty’s system to ranking the bugs according to their relevance to a given bug. , it is desirable to score the files in the code base of a software project in order to rank them according to their relevance to a given bug. This advantageously 

As per claim 18, the combination of Mallisetty, Mueller and Russell discloses the invention as described above, Mueller  discloses open an issues (9:1-25, also see fig. 4 and associated texts). Papaxenopoulos discloses the method of claim 16 further comprising an issue for the base branch for the identified vulnerability (Papaxenopoulos, [0028]-[0031], also see fig. 1 and associated texts). The motivation regarding the obviousness of claim 17 is also applied to claim 18. 

7.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art discloses many of the claim features (See PTO-form 892).

a). US Patent No. 10158660 to Reguly et al discloses an apparatus and methods are disclosed for performing dynamic vulnerability correlation suitable for use in enterprise information technology (IT) environments, including vulnerability filtering, patch correlation, and vulnerability paring. According to one disclosed embodiment, a method of vulnerability filtering includes attempting to execute vulnerability scanning rules according to a specified order in a rule hierarchy, and depending on the type of the rule hierarchy and on whether the attempt was successful, not executing additional rules in the rule hierarchy. In another disclosed embodiment, a method of patch correlation includes executing vulnerability scanning rules based on a correlation .
Conclusion
8.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARUNUR RASHID whose telephone number is (571)270-7195. The examiner can normally be reached 9 AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

HARUNUR . RASHID
Primary Examiner
Art Unit 2497



/HARUNUR RASHID/Primary Examiner, Art Unit 2497