DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office Action is in response to Application 16259960 filed on 01/28/2019.
Claims 1-20 have been examined and are pending in this application. 
Claims 1, 8 and 15 are independent claims.
This Office Action is made Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/28/2019 and 08/10/2020 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, 8, 10, 15 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Kadam et al. (“Kadam,” US 20190079734, filed on 09/12/2017) in view of GUO et al. (“GUO,” US 20160232351, published on 08/11/2016)

Regarding Claim 1; 
Kadam discloses a method for securing vulnerabilities in a software package, the method comprising performing, by a computer system (Kadam: par 0013; evaluating one or more libraries in the input source code files to identify therefrom library risk modules which have specified performance limitations such as security vulnerabilities):  
receiving a set of libraries corresponding to third-party software used by the software package (Kadam: par 0023; fig.2; receives input source code having one or more libraries which checked into the system as source code and binary files created by the program developer);  
determining a list of afflicted libraries from the set of libraries, wherein each library of the list of afflicted libraries is affected by a vulnerability (Kadam: par 0025; once the source code libraries are identified, each library is automatically evaluated to identify libraries having performance issues […] determine if a given library has security vulnerability issues the library issue evaluation process identify a library having security issues by accessing a list or repository of security vulnerabilities affecting a specific library that accessed at repository of security vulnerabilities); 
determining one or more afflicted libraries from the list of afflicted libraries upon which an application of the software package depends (Kadam: par 0025; determine if a given library has security vulnerability issues the library issue evaluation process identify a library having security issues by accessing a list or repository of security vulnerabilities affecting a specific library that accessed at repository of security vulnerabilities; par 0041; performance of software programs by automatically detecting and recommending library upgrade substitutions for replacing problematic libraries in the software program), wherein the application executes code from the one or more afflicted libraries (Kadam: par 0013; evaluating one or more libraries in the input source code files to identify therefrom library risk modules which have specified performance limitations such as security vulnerabilities […] causing one or more hardware processors of the computing device to execute the software applications that configure the processors to perform the operations and generate the outputs), and 
wherein the application calls the one or more afflicted libraries (Kadam: par 0029; the source code is evaluated to find all the API calls of the problematic library and their location in the input source code);  
identifying, for each library of the one or more afflicted libraries, a number of code calls that include the vulnerability (Kadam: par 0029; the source code is evaluated to find all the API calls of the problematic library […] the input source code is run to get the line coverage details for each source code file using the coverage data, the process evaluates the number of API calls that are covered by at least one test case and then determines if the test case coverage for library calls meets a configurable threshold coverage requirement); 
wherein the code calls are made to code within each library of the one or more afflicted libraries (Kadam: par 0029; the source code is evaluated to find all the API calls of the problematic library […] the input source code is run to get the line coverage details for each source code file using the coverage data; par 0039; the source code program modification process includes finding all API call references to the first library in the source code program);
assigning a risk score to the API based on the number of code calls (Kadam: par 0029; the process evaluates the number of API calls that are covered by at least one test case and then determines if the test case coverage for library calls meets a configurable threshold coverage requirement; par 0025; once the source code libraries are identified, each library is automatically evaluated to identify libraries having performance issues […] to determine if a library has a security vulnerability risk. The security issue identification processing include obtaining a security risk indication (e.g., high risk, medium risk, low risk) for each affected library);  
comparing the risk score of the API to a threshold risk value (Kadam:  par 0025; once the source code libraries are identified, each library is automatically evaluated to identify libraries having performance issues […] to determine if a library has a security vulnerability risk. The security issue identification processing include obtaining a security risk indication (e.g., high risk, medium risk, low risk) for each affected library; par 0029; the test suite of all test cases in the input source code is run to get the line coverage details for each source code file […] if the test case coverage for library calls is below the configurable minimum threshold […] however, if the test case coverage for library calls meets the configurable minimum threshold, then the source code modification process continues to change the source code to incorporate the suitable alternative libraries in substitution for the problematic libraries); and  
causing a remedial action for each afflicted library called by the API in response to the risk score exceeding the threshold risk value (Kadam:  par 0029; the process evaluates the number of API calls that are covered by at least one test case and then determines if the test case coverage for library calls meets a configurable threshold coverage requirement […] if the test case coverage for library calls meets the configurable minimum threshold [i.e., exceeding]  then the source code modification process continues to change the source code to incorporate the suitable alternative libraries in substitution for the problematic libraries).
Kadam discloses all the limitations as recited above, but do not explicitly disclose where a code call is made by an application program interface (API) of the application of the software package. 
However, in an analogous art, GUO discloses identifying computer virus variants system/method that includes:
where a code call is made by an application program interface (API) of the application of the software package (GUO: par 0020; the call order of the APIs
may or may riot be recorded depending on the application environment; par 0025; the generated characteristic API call sequences that respectively correspond to each one of the virus families may be obtained from the feature library of the characteristic API call sequence that has been generated in the preprocessing stage).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of GUO with the method/system of Kadam to include where a code call is made by an application program interface (API) of the application of the software package. One would have been motivated to determine the virus sample to be tested is a virus variant by extent of a match between the API call sequence produced by the virus sample and any characteristic API call sequence of any one of the virus families (GUO: abstract).
	
Regarding Claim 3; 
In combination of Kadam and Guo disclose the method of claim 1, 
Kadam further discloses analyzing release notes and changelogs using a natural language processor engine of the computing system to determine one or more fixable libraries from the list of afflicted libraries (Kadam: par 0003; fig. 2; the source code may be automatically modified to use the retrieved/recommended library alternative in place of an identified problematic library […] use machine learning, natural language processing (NLP), and/or artificial intelligence (AI) in combination with static and/or dynamic code analysis techniques to automatically analyze libraries included in a source code file against performance limitation criteria and a database of suitable library replacements to yield library substitution opportunities which are used to modify the source code file; par 0029; if the source code is successfully changed, affirmative outcome to success, then the modified source code is ready for testing), wherein a newer version of a fixable library removes or reduces an impact of the vulnerability in a current version of the fixable library (Kadam: par 0029; fig. 2; if the source code is successfully changed, affirmative outcome to success, then the modified source code is ready for testing; par 0030; running the test suite cases to determine if any new test case has failed after the library upgrade. For example […] if there are no new test case failures, then the auto-upgrade is marked successful), wherein the remedial action includes updating the current version of the fixable library to the newer version of the fixable library (Kadam: par 0029; fig. 2; the process evaluates the number of API calls that are covered by at least one test case and then determines if the test case coverage for library calls meets a configurable threshold coverage requirement […] if the test case coverage for library calls meets the configurable minimum threshold then the source code modification process continues to change the source code to incorporate the suitable alternative libraries in substitution for the problematic libraries; par 0030; running the test suite cases to determine if any new test case has failed after the library upgrade. For example […] if there are no new test case failures, then the auto-upgrade is marked successful).  

Regarding Claim 8;
This Claim recites a non-transitory computer-readable medium that perform the same steps as method of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.  

Regarding Claim 10;
This Claim recites a non-transitory computer-readable medium that perform the same steps as method of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.  

Regarding Claim 15;
This Claim recites a system that perform the same steps as method of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.  


Regarding Claim 17;
This Claim recites a system that perform the same steps as method of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.  

Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Kadam et al. (US 20190079734) and GUO et al. (US 20160232351) in view of LEE et al. (“LEE,” US 20130226975, published on 08/29/2013) and further in view of Hunt et al. (“Hunt,” US 20180124110, published on 05/03/2018)
Regarding Claim 2; 
In combination of Kadam and Guo disclose the method of claim 1, 
Kadam further discloses a public domain for newer versions of each library of the list of afflicted libraries (Kadam: par 0014; access a web interface to a CVE vulnerability data base to check for security vulnerabilities, exploits, Metasploit modules, vulnerability statistics and list of versions, and the like; par 0029; fig. 2; the change may be implemented by changing the version number information for a library to a updated version of the library based on information obtained from the Maven repository); and storing, in the database, release notes and changelogs associated with the newer versions (Kadam: par 0029; fig. 2; if the source code is successfully changed, affirmative outcome to success, then the modified source code is ready for testing).  
In combination of Kadam and Guo disclose a public domain for newer versions of each library of the list of afflicted libraries as recited above, but do not 
However, in an analogous art, LEE discloses file management system/method that includes:
 storing, in a database of the computer system, a uniform resource identifier ("URI") for each library within the set of libraries (Lee: par 0013; a container controller is configured to store a plurality of Uniform Resource Identifiers (URI) respectively corresponding to a plurality of content files [according specification par 0020; the term library may refer to a collection of non-volatile resources used by computer programs]);  based on the URI for each library (Lee: par 0013; a container controller is configured to store a plurality of Uniform Resource Identifiers (URI) respectively corresponding to a plurality of content files).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Lee with the method/system of Kadam and Guo to include storing, in a database of the computer system, a uniform resource identifier ("URI") for each library within the set of libraries; based on the URI for each library. One would have been motivated to replace the first library with the first alternative library, thereby generating a modified source code program having an upgraded library functionality (Lee: abstract).

However, in an analogous art, Hunt discloses detecting malicious behavior system/method that includes:
searching, using a web crawler implemented by the computer system (Hunt: par 0069; the web crawler retrieve a document for rendering the web page using the URI. The web crawler may then parse the document, causing one or more additional URIs to be called). 
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Hunt with the method/system of Kadam and Guo and Lee to include searching, using a web crawler implemented by the computer system. One would have been motivated to crawl processes implemented to search networks, e.g., the Internet, for network-based assets according to a crawl configuration (Hunt: abstract).

Regarding Claim 9;
This Claim recites a non-transitory computer-readable medium that perform the same steps as method of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.  



Regarding Claim 16;
This Claim recites a system that perform the same steps as method of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.  

Claims 4-5, 11-12 and 18-19 are	rejected under 35 U.S.C. 103 as being unpatentable over Kadam et al. (US 20190079734) in view of GUO et al. (US 20160232351) and further in view of Maier et al. (“Maier,” US 20070006222, published on 01/04/2007)

Regarding Claim 4; 
In combination of Kadam and Guo disclose the method of claim 1, 
Kadam further discloses comparing, using a code differentiation tool of the computer system, code of a newer version of a library against code of a current version of the library for each library of the one or more afflicted libraries (Kadam: par 0029; fig. 2; if the source code is successfully changed, then the modified source code is ready for testing; par 0030; test the modified source code by running the test suite cases to determine if any new test case has failed after the library upgrade. For example, if the original input source code has100 test cases with only 90 test cases passing, then test processing assesses the modified source code to determine whether the 90 passing test cases still pass. If there are any new test case failures, then the auto-upgrade is marked unsuccessful, the failed test cases are marked as “Require developer Review,” and the library upgrade workflow ends. However, if there are no new test case failures, then the auto-upgrade is marked successful).  
In combination of Kadam and Guo disclose all the limitations as recited above, but do not explicitly disclose determining, in response to the comparison by the code differentiation tool, that the newer version is not backwards compatible with the current version.  
However, in an analogous art, Maier discloses software installation system/method that includes:
determining, in response to the comparison by the code differentiation tool, that the newer version is not backwards compatible with the current version (Maier: par 0037; determined whether the already installed software component is
backward compatible with the i-th newly to be installed software component by comparing the earliest-compatible-version identifier of the already installed software component to the current-version identifier of the i-th newly to be installed software component; par 0008; the second software component is of a later current version that is not backward compatible to the current version of thefirst software component).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Maier with the method/system of Kadam and Guo to include determining, in response to the comparison by the code differentiation tool, that the newer version is not backwards compatible with the current version. One would have been motivated to release that breaks backward compatibility with an earlier version, a (Maier: par 0003).

Regarding Claim 5; 
In combination of Kadam and Guo and Maier disclose the method of claim 4, 
Kadam discloses generating a report including the list of afflicted libraries, the risk score of the API (Kadam: par 0013; fig. 3; causing one or more hardware processors of the computing device to execute the software applications that configure the processors to perform the operations and generate the outputs; par 0031; screen shot of user interface, there is a “Summary” page or tab, a “Security Vulnerabilities” page or tab, a “License Risks” page or tab, a “Policy Violations” page or tab, a “Library Age Metrics” page or tab); transmitting the report to one or more user devices operated by users implementing the application (Kadam: par 0013; fig. 3; causing one or more hardware processors of the computing device to execute the software applications that configure the processors to perform the operations and generate the outputs; par 0031; screen shot of user interface, there is a “Summary” page or tab, a “Security Vulnerabilities” page or tab, a “License Risks” page or tab, a “Policy Violations” page or tab, a “Library Age Metrics” page or tab; par 0033; displays a first “Library Auto-Upgrade Results” summary field  identifying the auto-upgrade results for the alternative libraries identified for possible upgrade of a problematic library).
 (Maier: par 0044; figs. 2 and 4; a black circle marks the current-version of the first software component and an open circle marks the earliest-compatible-version of the first software component. The current-version of the first software component is earlier than the earliest-compatible-version of the second software component. In this situation the installation is aborted because the second software component is not backward compatible to the first software component, and installing the first software component over the second software component would break already installed software products that rely on the newer current-version of the second software component).
One would have been motivated to release that breaks backward compatibility with an earlier version, a software product that requires the earlier version can no longer share the software component with another software product that requires the later version (Maier: par 0003).

Regarding Claim 11;
This Claim recites a non-transitory computer-readable medium that perform the same steps as method of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.  




Regarding Claim 12;
This Claim recites a non-transitory computer-readable medium that perform the same steps as method of Claim 5, and has limitations that are similar to Claim 5, thus are rejected with the same rationale applied against claim 5.  

Regarding Claim 18;
This Claim recites a system that perform the same steps as method of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.  

Regarding Claim 19;
This Claim recites a system that perform the same steps as method of Claim 5, and has limitations that are similar to Claim 5, thus are rejected with the same rationale applied against claim 5.  

Claims 6, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kadam et al. (US 20190079734) in view of GUO et al. (US 20160232351) and further in view of Mulchandani et al. (“Mulchandan,” US 20160357967, published on 12/08/2016)

Regarding Claim 6; 
In combination of Kadam and Guo disclose the method of claim 1, 
(Kadam: par 0025; once the source code libraries are identified, each library is automatically evaluated to identify libraries having performance issues. While any suitable code evaluation technique may be used, selected embodiments may employ NLP and/or machine learning to determine if a given library has security vulnerability issues […] to determine if a library has a security vulnerability risk. The security issue identification processing include obtaining a security risk indication (e.g., high risk, medium risk, low risk) for each affected library).
In combination of Kadam and Guo disclose discloses wherein assigning a risk score of each library from the one or more afflicted libraries in relation to the application as recited above, but do not explicitly disclose wherein assigning a risk score includes determining a dependency relationship, wherein a risk score for a direct dependency is assigned differently from a risk score for a transitive dependency.  
However, in an analogous art, Mulchandani discloses risk classification system/method that includes:
wherein assigning a risk score includes determining a dependency relationship (Mulchandani: par 0010; by the process risk classifier, one or more dependency maps for the particular process that identify one or more dependencies for the particular process. The current risk score can be further determined based on the one or more dependencies for the particular process); wherein a risk score for a direct dependency is assigned differently from a risk score for a transitive dependency (Mulchandani: par 0005; risk scores can be generated dynamically for processes; par 0032; the process risk classifier can use any of a variety of techniques to determine the risk score. For example, the process risk classifier
can start with a default score for the process, such as a middle score (e.g., score of 50 for risk scores ranging from 0-100), and then increase or decrease the score as indicators of risk or safety are presented through risk assessment information for the process. For example, a dependency mapping that shows the process not going down any paths that present potential risks could decrease the risk score (e.g., drop the risk score from 50 to 40) and low resource usage could decrease the risk score further (e.g., decrease risk score from 40 to 20)).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Mulchandani with the method/system of Kadam and Guo to include wherein assigning a risk score includes determining a dependency relationship, wherein a risk score for a direct dependency is assigned differently from a risk score for a transitive dependency. One would have been motivated to process risk classifier running on a computer system, a request to determine a risk level for a particular process (Mulchandani: abstract).
	
Regarding Claim 14;
This Claim recites a non-transitory computer-readable medium that perform the same steps as method of Claim 6, and has limitations that are similar to Claim 6, thus are rejected with the same rationale applied against claim 6.  
Regarding Claim 20;
This Claim recites a system that perform the same steps as method of Claim 6, and has limitations that are similar to Claim 6, thus are rejected with the same rationale applied against claim 6.  

Claims 7 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Kadam et al. (US 20190079734) in view of GUO et al. (US 20160232351) and further in view of Beale et al. (“Beale,” US 20180069889, published on 03/08/2018)

Regarding Claim 7; 
In combination of Kadam and Guo disclose the method of claim 1, 
In combination of Kadam and Guo disclose all the limitations as recited above, but do not explicitly disclose wherein a higher risk score indicates a higher chance of a security breach and a lower risk score indicates a lower chance of a security breach.  
However, in an analogous art, Beale discloses security breach system/method that includes:
wherein a higher risk score indicates a higher chance of a security breach and a lower risk score indicates a lower chance of a security breach (Beale: par 0027; each entity associated with two values corresponding to a low risk level and a high risk level. The two values may provide an assessment as to the likelihood that the entity will be subjected to an attack by the unauthorized entity. For example, the value
for the high risk level may provide a measure based on whether the entity has a high likelihood to be subjected to an attack by an unauthorized entity and the value for the low risk level may provide another measure based on whether the entity has a low likelihood to be subjected to an attack by an unauthorized entity).  

 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Beale with the method/system of Kadam and Guo to include wherein a higher risk score indicates a higher chance of a security breach and a lower risk score indicates a lower chance of a security breach. One would have been motivated to an assessment of a security breach of the asset based on the received one or more values associated with the security breach for the additional assets of the network infrastructure may be generated (Beale: abstract).
	

Regarding Claim 13;
This Claim recites a non-transitory computer-readable medium that perform the same steps as method of Claim 7, and has limitations that are similar to Claim 7, thus are rejected with the same rationale applied against claim 7.  





Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-




/C.W./Examiner, Art Unit 2439                       



/JAHANGIR KABIR/Primary Examiner, Art Unit 2439