DETAILED ACTION
	This is a supplemental Office Action to correct the Office Action mailed on 12/29/2021 wherein the section for Allowable Subject Matter was missing.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Set #1.

Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted as for examination on merits are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered by the examiner. See the annotated 1449 documents.

Claim Objections
Claims 1 and 11 are objected to because of the following informalities:
each software artifact of the plurality of software artifacts.  The three steps are indented in the claims.  However, the second step should be followed by a semicolon for formality reasons.  In addition, the second step should point out that “a set of call graphs” is for the software application, rather than for each software artifact of the plurality of software artifacts.  This aspect of the claim needs to be clarified.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claims 1 and 11 each recite “a set of call graphs” repetitively for a sequence of steps for each software artifact of the plurality of software artifacts, leading to a confusion there is likely a multiple sets of call graphs for the software application.  Therefore, the limitation for the set of call graphs is unclear.
wherein the plurality of software artifacts include the software application and one or more libraries that the software application calls” unclearly, because the software application has artifacts such as bytecode, assembly code, or source code (see claim 3) and a system call, a TCP stack, a UDP stack, and a library call (see claim 4).  However, it is unclear to state software artifacts include the software application.  Does the claim limitation mean that “the plurality of software artifacts is associated with the software application and one or more libraries that the software application calls?”
Claims 8 and 18 each recite a limitation “adding said each reachable dependency to a security policy, in the plurality of security policies, that is associated with the type” unclearly, because the instance of “a security policy” herein, although said to be associated with the type,  is not defined in reference to the first security policy nor the second security policy, causing confusion on how the instance of “a security policy” is determined and why the first and second security policies are not used to define the instance of “a security policy” in the claim.
Claims 2-10 and 12-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, because they each depend from the rejected base claims 1 and 11, respectively.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-6 and 11-16 are rejected under 35 U.S.C. 103 as being unpatentable over Dietsch (US 20180330097 A1) in view of Park (US 20110258617 A1), and further in view of Centonze (US 20080201760 A1).

As per claim 1, Dietsch teaches a method comprising: 
identifying a plurality of software artifacts associated with a software application (Dietsch par. 0032-0033: FIG. 3 presents the source code 300 of the program represented in call graph 200; par. 0036-0037: sets of facts or data-flow facts); 
for each software artifact of the plurality of software artifacts: 
•	generating a call graph for said each software artifact (Dietsch par. 0040-0042: call graph 200 being generated for artifacts such as source code, object code, byte code, library modules, application code, and the like; par. 0025-0026);

However, Dietsch does not explicitly disclose steps of adding or merging call graphs to a set of call graphs for dependency analysis.  This aspect of the claim is identified as a difference.

•	adding the call graph to a set of call graphs (Park, par. 0060-0062: adding a third call graph 300c to the set of call graphs 300a and 300b); 
•	detecting a set of one or more dependencies for said each software artifact (Park, FIGS. 8A and 8B shows the set of one or more dependencies for the software elements, for example, aggregating difference between a node; par. 0061); 
combining the set of call graphs to generate a merged call graph (Park par. 0059 and 0061: merging call graphs.  FIG. 7 shows an example of merging call graphs); 
pruning one or more portions of the merged call graph to generate a pruned call graph (Park, par. 0058 and 0074: simplify a resulting merged call graph.  Here the simplifying step in Park is the same as generating a pruned call graph); 
storing annotation data that associates elements in the pruned call graph with the set of one or more dependencies for each software artifact of the plurality of software artifacts (Park, par. 0042-0043: the exclusive value for node H of 10 is added to the total eliminated exclusive values); 
based on the annotation data, identifying a set of reachable dependencies (Park, par. 0046 and 0053: determines if a visited node should be eliminated if all callees for the visited node can be reachable.  Here the callees depend from the visited node); 
wherein the method is performed by one or more computing devices (Dietsch par. 0019-0020: computer devices; specialized computers for carrying out defined tasks).
Die and Park are analogous art, because they are in a similar field of endeavor in improving call graph for software analysis.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Park’s technique to modify Dietsch to merge and simplify call graphs for analysis.  For this combination, the motivation would have been to improve the analysis of network functions of an application.

In a related art, Centonze teaches:
based on the set of reachable dependencies, generating a set of one or more security policies for the software application (Centonze, par. 0011-0012 and 0036-0037: a method for the evaluation of security policies and the creation of security polices … based on modeling the dependencies that exist between program objects; 0046-0048); 
Centonze is analogous art, because they are in a similar field of endeavor in improving security analysis and policy evaluations using call graphs.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to use Centonze to modify Dietsch-Park system to include generating one or more security policies for the software application. For this combination, the motivation would have been to improve the level of security with updated security policies.

As per claim 2, the references as combined above teach the method of Claim 1, wherein the plurality of software artifacts include the software application and one or more libraries that the software application calls (Dietsch, par. 0016-0018: calls for every code segment to be executed; analysis of libraries).

As per claim 3, the references as combined above teach the method of Claim 1, wherein the plurality of software artifacts comprise two or more of bytecode, assembly code, or source code (Dietsch, par. 0015-0017: protected source for a computer system; source code; full analysis calls for every code segment to be executed).

As per claim 4, the references as combined above teach the method of Claim 1, wherein a plurality of types of dependencies reflected in the set of one or more dependencies for each software artifact of the plurality of software artifacts includes a system call, a TCP stack, a UDP stack, and a library call (Dietsch, par. 0016, 0023, and 0027: APIs and remote function calls …including for example, a data object, a file, a socket, a method, a program, a system, a device, or other suitable computer accessible resource).

As per claim 5, the references as combined above teach the method of Claim 1, wherein a particular software artifact in the plurality of software artifacts comprises one or more entry points to the particular software artifact, one or more internal functions, and one or more function references to one or more other software artifacts (Dietsch, par. 0031-0032 and 0035: A computer program call graph such as call graph 200 represents the calling relationships between routines and subroutines in a computer program. A call graph indicates which procedures can call which other procedures, and from which program points. Specifically, each node represents a procedure and each edge (f, g) indicates that procedure f calls procedure g).

As per claim 6, the references as combined above teach the method of Claim 1, wherein combining the set of call graphs comprises: 
for each software artifact in a subset of the plurality of software artifacts: 
identifying one or more function references of said each software artifact (Dietsch, par. 0031-0032 and 0035: A call graph indicates which procedures can call which other procedures, and from which program points); 
for each function reference of the one or more function references: 
identifying an entry point, in another software artifact of the plurality of software artifacts, to which said each function reference points (Dietsch, par. 0031-0032 and 0035: each node represents a procedure and each edge (f, g) indicates that procedure f calls procedure g); 


Regarding claims 11-16, they are rejected for the same reasons as those for claims 1-6, because claims 11-16 each recite the same limitations as claims 1-6, respectively.  

Claims 9-10 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Dietsch and Park and Centonze, as applied to claim 1, and further in view of Vepa (US 20150089575 A1).

As per claim 9, the references of Dietsch and Park and Centonze as combined above teach the method of Claim 1, but do not explicitly disclose storing the set of one or more security policies in a software container that comprises a plurality of software applications. This aspect of the claim is identified as a further difference.
In a related art, Vepa teaches:
further comprising: 
storing the set of one or more security policies in a software container that comprises a plurality of software applications (Vepa, par. 0016 and 0038-0040: the global container of the policy store is used for storing policies).
Vepa is analogous art in a similar field of endeavor in improving the management of policies applicable to multiple applications.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to use Vepa to modify Dietsch-Park-Centonze system to store policies for the software application in contains. For this 

As per claim 10, the references as combined above teach the method of Claim 9, Vepa also discloses further comprising: 
identifying one or more software artifacts, of the plurality of software artifacts, that are not invokable during execution of the software application (Vepa, par. 0027-0030: policies applicable to multiple applications in an enterprise environment are invokable policies whereas authorization policies are not invokable); 
storing, in the container, the plurality of software artifacts except for the one or more software artifacts (Vepa, par. 0030-0031: In order to avoid such wasteful duplication, some embodiments involve a global container that contains policies that are applicable to multiple separate applications in the environment).
Vepa is analogous art in a similar field of endeavor in improving the management of policies applicable to multiple applications.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to use Vepa to modify Dietsch-Park-Centonze system to store policies for the software application in contains. For this combination, the motivation would have been to improve the management of policies for software applications by using containers.

Regarding claims 19 and 20, they each recite the same limitations as claims 9 and 10, respectively.  For the same reasons as those for claims 9 and 10, claims 19 and 20 are rejected.

Allowable Subject Matter
s 7, 8, 17, and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

The claims 7 and 17 each recite elements of “for each entry point of the one or more entry points: determining whether said each entry point is reachable; 
storing first data that indicates that said entry point is reachable if it is determined that said each entry point is reachable; if it is determined that said each entry point is reachable, then: identifying a set of one or more nodes that are downstream of said each entry point; storing second data that indicates that said node in the set of one or more nodes is reachable”.  These elements, in combination with the other limitations in the claim(s) and independent claim 1, are not anticipated by, nor made obvious over the prior art of record.
The claims 8 and 18 each recite elements of “the set of one or more security policies includes a plurality of security policies that includes a first security policy for a first security mechanism and a second security policy for a second security mechanism that is different than the first security mechanism, generating the set of one or more security policies for the software application comprises: for each reachable dependency in the list of reachable dependencies: determining a type of said each reachable dependency; adding said each reachable dependency to a security policy, in the plurality of security policies, that is associated with the type.”  These elements, in combination with the other limitations in independent claim 1, are not anticipated by, nor made obvious over the prior art of record.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        01/04/2022