DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claims 6, 14 and 22 are objected to because of the following informalities: “identifying the identifying the set of source code files based on the file list”.  “Identifying the” is repeated twice.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5-9, 13-17 and 21-24 are rejected under 35 U.S.C. 103 as being unpatentable over Russell et al. (US 2013/0326479 A1) and further in view of Cook et al. (US 11,200,144 B1).
A per claim 1, Russell et al. teaches the invention as claimed including, “A computer implemented method for scanning source code files included in an application, the method comprising:

Russell et al. teaches a trace system that retrieves a build system product (assembly) and tracking information (metadata) associated with the build system product (0034).  The build system comprises a compiler/assembler for compiling object files from source code files and a linker for linking the compiler object files into a build-system product.  Tracking information providing a source code identifier associated with each file used to generate the build system is created and linked to the build-system product.  Tracking information may be embedded in the build system product, embedded with a debug file, or provided in a separate file as an output product of the build system (0027).  
“identifying a file path for each source code file identified from the assembly, wherein the file path is identified within the assembly metadata;
responsive to identifying the file paths from the assembly metadata, identifying the set of source code files within a code repository; and:”
Russell et al. teaches, from the tracking information (metadata), a source code file identification component determines the source code file identifiers, such as a source code hash, each of which identifies a source code file that was utilized to generate the build-system product from a source code repository (0034).  Also see 0020, 0024, 0030-0031.
Russell et al. teaches a source code file marker retrieval component that retrieves markers identified from each of the source code files.  Compliance identifiers, markers are extracted (scanned source code) from the source code files for each of the source code files. The determined markers are then used to determine the associated compliance information from the compliance data repository and a compliance requirement report is generated (0034).  However Russel et al. does not explicitly appear 
Cook et al. teaches the scanning/static analysis of source code to determine vulnerabilities (column 2, lines 14-25).
It would have been obvious to one of ordinary skill in the art before the effective filing date to modify Russel et al. with Cook et al. because Russel et al. teaches a method of determining source code for a build/assembly and scanning the determined source code to extract/determine compliance information to generate a compliance report for all the source code.  Cook et al. teaches scanning source code for vulnerabilities.  Scanning source code for vulnerabilities is well known in the art and would have been obvious to try.  This will allow Russel et al. to check the determined source code for more than just compliance issues.  The examiner further states that Russel et al. teaches the tracking information providing a source code identifier associated with each file used to generate the build system (0027).  Therefore it would have been obvious for only those files to be scanned.   
As per claim 5, Russell et al. further teaches, “The method of claim 1, further comprising:
generating a file list of the set of source code files based on the file paths identified from the assembly metadata.”
Russell et al. teaches, from the tracking information, a source code file identification component determines the source code file identifiers (file list), such as a source code hash, each of which identifies a source code file that was utilized to generate the build-system product from a source code repository.  Source code file marker retrieval component retrieves markers identified from each source code file 
As per claim 6, Russell et al. further teaches, “The method of claim 5, wherein the step of identifying the set of source code files further comprises:
identifying the identifying the set of source code files based on the file list.”
Russell et al. teaches, from the tracking information, a source code file identification component determines the source code file identifiers (file list), such as a source code hash, each of which identifies a source code file that was utilized to generate the build-system product from a source code repository.  Source code file marker retrieval component retrieves markers identified from each source code file (therefore IDs are used to locate/identify the source code file) (0034).  Also see 0020, 0024, 0030-0031.  Source IDs are generated from source code file identifiers, such as URL and a version identifier of the source code file.  Source Ids may also be generated from a hash of the source code file location and the version identifier of the source code file.  The source code IDs point to the source code file (0031).
As per claim 7, Russell et al. and Cook et al. further teach, “The method of claim 5, further comprising:
performing a valuation of the assembly, wherein the valuation is based on the set of source code files identified from the assembly metadata, and wherein the valuation omits files in the code repository that were not identified within the assembly metadata.”
each file used to generate the build system (0027).  Therefore it would have been obvious for only those files to be scanned.     
Cook et al. teaches the scanning/static analysis of source code to determine vulnerabilities (column 2, lines 14-25).
As per claim 8, Russell et al. and Cook et al. further teach, “The method of claim 5, further comprising: 
performing an audit of the assembly, wherein the audit is based on the set of source code files identified from the assembly metadata, and wherein the audit omits files in the code repository that were not identified within the assembly metadata.”
Russell et al. teaches a source code file marker retrieval component that retrieves markers identified from each of the source code files.  Compliance identifiers, markers are extracted from the source code files for each of the source code files. The determined markers are then used to determine the associated compliance information from the compliance data repository and a compliance requirement report (audit) is generated (0034).  The examiner further states that Russel et al. teaches the tracking information providing a source code identifier associated with each file used to generate the build system (0027).  Therefore it would have been obvious for only those files to be scanned.     

Regarding claims 9, 13-17 and 21-24, these claims contain similar limitations to claims 1 and 5-8.  Therefore claims 9, 13-17 and 21-24 are rejected for the same reasons as claims 1 and 5-8.
Claims 2-3, 10-11 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Russell et al. (US 2013/0326479 A1) and Cook et al. (US 11,200,144 B1) as applied to claims 1, 9 and 17 above, further in view of Bennett et al. (US 2003/0065976 A1) and Zhang et al. (US 2018/0018459 A1).
  As per claim 2, Russell et al. teaches, “The method of claim 1, further comprising:
compiling the set of source code files to generate the assembly and a symbol file that is associated with the assembly; and”
Russell et al. teaches, the build system comprises a compiler/assembler for compiling object files from source code files (0027).  
However Russel et al. does not teach the generation of a symbol file that is associated with the assembly.
Bennett et al. teaches, when code is assembled or compiled resulting object code is generated.  In addition, an object file called a symbol file is also generated and stored with the object code (0021).
It would have been obvious to one of ordinary skill in the art before the effective filing date to modify Russell et al. with Bennett et al. because generating a symbol file when compiling source code is well known in the art and it would have been nothing more than a design choice.  

Zhang et al. teaches publishing (deploying) an application program to an application marketplace (production environment) (0021).
The examiner states that it would have been obvious to one of ordinary skill in the art for the symbol file not to be deployed because it is never being used.  Russell et al. teaches, the build system comprises a compiler/assembler for compiling object files from source code files (0027).  However, Russle et al. does not teach the generation of a symbol file.  Bennett et al. teaches the generation of a symbol file along with the object code and that disassemblers make use of these symbol files to make the disassembled code more readable to humans by relabeling subroutines and variables after performing disassembly on the object code (0021).  Zhang et al. teaches publishing (deploying) an application program to an application marketplace (production environment) (0021).  Zhang et al. also taches the decompiling of binary code for static analysis  (0034) but does not teach the generation or deployment of a symbol file.  Russel et al. teaches a method of determining source code for a build without decompiling/disassembling the build/object code.  Therefore the symbol table is not needed since the original source code files are found in the repository and they system would not need to disassemble the build to generate code that needs to be translated with a symbol file to be human readable. Therefore it would have been obvious for the build/object code to be sent without a symbol file since source code can be determined without it. 
As per claim 3, Zhang et al. further teaches, “The method of claim 2, wherein the step of identifying the assembly further comprises:

Zhang et al. teaches that the analysis system receives new APKs in a number of ways.  They can be from client devices (production environment) and from crawling the app marketplace (production environment) (0023).
As per claims 10-11 and 18-19, claims 10-11 and 18-19 contain similar limitations to claims 2-3.  Therefore claims 10-11 and 18-19 are rejected for the same reasons as claims 2-3.
Claims, 4, 12 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Russell et al. (US 2013/0326479 A1) and Cook et al. (US 11,200,144 B1), Bennett et al. (US 2003/0065976 A1) and Zhang et al. (US 2018/0018459 A1) as applied to claims 2, 10 and 18 above, further in view of Ryall et al. (US 2020/0004519 B1) and Tan et al. (US 2014/0068588 B1).
As per claim 4, Russell et al. further teaches, “The method of claim 2, wherein the set of source code files is a first set of source code files, the method further comprising:
“deploying a second set of source code files directly to the production environment, wherein the second set of source code files are not compiled;”
“creating a hash of the second set of source code files;”
Russell et al. teach a source code identifier (Source ID) (hash) associated with each file used to generate a build system product (0027).
 “creating a build of the application, the build comprising the assembly and the second set of source code files; and”

However Russell et al. does not explicitly appear to teach “deploying a second set of source code files directly to the production environment, wherein the second set of source code files are not compiled;” and “creating a hash of the build.”
Ryall et al. teaches deploying source code revisions (second set of source code files) (abstract).  The revisions are automatically deployed into one or more environments such as a production environment (0004).  Also see 0024.  Ryall et al. does not teach compiling the source code therefore the source code is not compiled.   Ryall et al. also teaches a unique identifier (hash) for the source code revision (0051).  
It would have been obvious to one of ordinary skill in the art before the effective filing date to modify Russell et al. with Ryall et al. because both relate to a similar field of endeavor.  Ryall et al. teaches the deployment of source code directly to a production system.  This is nothing more than a design choice and would have been obvious to try.
However Russell et al. and Ryall et al. do not explicitly appear to teach, “creating a hash of the build.”
Tan et al. teaches the creation of a build identifier that can be in the form of a hash (0019). 
It would have been obvious to one of ordinary skills in the art before the effective filing date to modify Russell et al. with Tan because the both teach the use of an application build.  Having a build 
As per claims 12 and 20, claim 12 and 20 contain similar limitations to claim 4.  Therefore claims 12 and 20 are rejected for the same reasons as claims 4.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Mitchell et al. (US 11,074,154 B2), teaches referencing a compiled file for debugging and searching for potential source files of the compiled file form configured repositories (abstract).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MARK A GOORAY whose telephone number is (571)270-7805. The examiner can normally be reached Monday - Friday 10:00am - 6:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on 571-272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional 
/MARK A GOORAY/               Examiner, Art Unit 2199      
/LEWIS A BULLOCK  JR/               Supervisory Patent Examiner, Art Unit 2199