Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending examination.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 2/11/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Specification
The disclosure is objected to because of the following informalities:
Section [0011] recites “one or more SRM systems” and should recite “one or more SCM .  
Appropriate correction is required.


Claim Objections
Claims 3, 11 and 18 are objected to because of the following informalities:  the claims recite “from the group consisting of adding a hash function to the command code, pinning a version of the software artifact to the command code, and adding a Boolean expression to the command code”.  There is no prior recitation of a group.  The claims are interpreted as “ from a group consisting….”.  
Appropriate correction is required.
Claims 6, 14 and 20  are objected to because of the following informalities the claims recite “from the group consisting of a security requirement and a compliance requirement”  There is no prior recitation of a group.  The claims are interpreted as “from a group consisting  ... “
Appropriate correction is required.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 2, 9, 10 and 17 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Hill (2003/0120688).

Regarding claim 1, Hill teaches 
a system, comprising: 
a memory that stores computer executable components; and 
a processor, operably coupled to the memory, and that executes the computer executable components stored in the memory, wherein the computer executable components comprise: (Hill, FIG 3. [0013] FIG. 3 is a schematic diagram of a software development system embodying an architecture for building run-time images from components in accordance with the invention)  (Examiner Note: Fig 3 includes user interface tool, a computing device)
a control component (Hill, [0042] In the system shown in FIG. 3, a component management interface (CMI) module 150 is provided for managing the build process. ) that executes a freeze algorithm that modifies an incorporation of a software artifact within a software application build set, (Hill, [0094] To support this scheme, each primary object contains version information. Primary objects that are not upgradeable (i.e. are either immutable or revisable) are uniquely identified by a single version-specific GUID ("VSGUID") property. Each primary object that is upgradeable has an additional version-independent GUID ("VIGUID") property in addition to a VSGUID) wherein the freeze algorithm prevents implementation of a change to the software artifact by a version control program (Hill, [0100] In contrast, all cross-component references within a configuration 140 are by means of VSGUIDs of the components. When a component is instantiated into a configuration, all the VIGUID component references are converted into VSGUID references within the instance. The purpose of doing so is to "freeze" the instance information to refer to specific versions of the components. Thus, even if new versions of a component are later imported into the database, the configuration continues to refer to the old version. This feature ensures that configuration builds remain consistent, i.e., the same run-time image will be generated, regardless of changes made to the database. [0087] In a preferred embodiment, a formal versioning scheme is implemented.)

Regarding claim 2, Hill teaches
the system of claim 1, wherein the change to the software artifact is an update generated by the version control program, and wherein the freeze algorithm prevents the update from being incorporated into the software application build set  (Hill, [0087] In a preferred embodiment, a formal versioning scheme is implemented. The versioning scheme distinguishes between a "revision" or "update" (the terms are used interchangeably) to an object and an "upgrade" to an object. Revisions to an object conceptually generate a new version of the object that replaces earlier versions. Revisions typically refer to incremental modifications made during the development stage such that there is no need to preserve the old version once the new version is imported into the database. In contrast, an upgrade generates a new version that can co-exist side-by-side with the old version in the component database. [0097] Version 2.0, in contrast, is an upgrade of version 1.1 and has a different VSGUID. Accordingly, version 2.0 and version 1.1 can co-exist in the database)  (Examiner Note: Hill’s description of an upgrade version teaches the limitation update, in [0100] Hill explain his terminology, freeze converts VIGUID into VSGUID)

Claims 9 and 10 are method claims for the system claims 1 and 2 and are rejected for the same reasons as claims 1 and 2.

Claim 17 is a program product claims for the system claim 1 and is rejected for the same reasons as claim 1.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Hill (2003/0120688) in view of Helix Core (Helix Core P4 Command Reference 2019 NPL).

Regarding claim 3, Hill teaches
the system of claim 1, wherein the incorporation of the software artifact is controlled by a command code, (Hill, [0110] When the user is satisfied with the selection of components for the configuration, she can initiate the build process by selecting a "Build" command through the user interface tool. In turn, the user interface tool 152 calls an API function called "Build" to ask the CMI 150 to start the build process.) and wherein the freeze algorithm performs at least one function selected from the group … adding a Boolean expression to the command code (Hill, [0073] Dependencies in the Include class control the inclusion or exclusion of components in a run-time image.  [0077] The ZeroOrOne dependency type is a group dependency type and means that none or only one component in the "target" group can exist.) (Examiner Note: a build command that occurs after a freeze will use the dependency data1)
Hill does not teach a hash function to the command code, pinning a version of the software artifact to the command code.
However Helix Core teaches a hash function to the command code, (Helix Core, P4, page 622, p4 verify,  pg. 622 lines 14-16, Description  For each revision of the specified depot files, p4 verify reports the revision-specific information and an MD5 digest (fingerprint) of the revision’s contents)
pinning a version of the software artifact to the command code (Helix Core P4, Page 389, p4 protect  Control user access to files, directories, and commands.
Page 390, Permission levels and access rights …  (4th entry level open)
open This gives the user permission to do everything she can do with read access, and gives her permission to p4 add, p4 edit, p4 delete, and p4 integrate files. However, the user is not allowed to lock files or submit files to the depot.
The open access level gives the user permission to change files but not submit them to the depot. Assign this level when you’re temporarily freezing a codeline, but don’t want to stop your developers from working, or when you employ testers who are allowed to change code for their own use but are not allowed to make permanent changes to the codeline.) (Examiner Note: Helix Core teaches commands, p4 verify and p4 protect which are part of the version control)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Helix Core’s protection with Hill’s  versioning system because Helix Core is a known-technique using an existing version control system in the art.

Claim 11 is a method claim for the system claim 3 and is rejected for the same reasons as claim 3.

Claim 18 is a program product claim for the system claim 3 and is rejected for the same reasons as claim 3.

Claims 4, 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Hill (2003/0120688) in view of Koshkin (2018/0173510).

Regarding claim 4, Hill teaches
the system of claim 1, further comprising: 
an identification component that analyzes the software application build set to identify the software artifact; and 
a monitor component that monitors a source of the software artifact to detect the change generated by the version control program.  
Hill does not teach an identification component and a monitor component.
However Koshkin teaches an identification component that analyzes the software application build set to identify the software artifact; and 
a monitor component that monitors a source of the software artifact to detect the change generated by the version control program (Koshkin, [0085] As another possibility, monitoring the branches for changes may involve deployment orchestrator 110 comparing (i) an identifier of the most-recent version of the manifest on the given branch with (ii) an identifier of the manifest that is currently deployed at the given deployment environment that corresponds to the given branch. For example, the deployment orchestrator may request an identification of the most-recent version of the manifest on the given branch from the change-control server, or may request a changelog of the manifest on the given branch from the change-control server and may obtain the identifier from a changelog received from the change-control server in response to the request.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Koshkin’s change-control to Hill’s versioning because doing so improves  authorization of changes (Koshkin [0007] Additionally, the change-control server may also use the branches to facilitate the promotion of artifacts from one deployment environment to another. For instance, each branch may be associated with permissions that define which users can access the branch's corresponding deployment environment and/or grant promotions to that branch/environment. In accordance with these permissions, a first user that is authorized to access a first branch/deployment environment may request promotion of an artifact from the first deployment branch/environment to a second branch/deployment environment, and a second user that is authorized to grant promotions to the second branch/environment may then decide to grant the requested promotion, which may lead to the artifact being merged into the second branch.)

Claim 12 is a method claim for the system claim 4 and is rejected for the same reasons as claim 4.

Claim 19 is a program product claim for the system claim 4 and is rejected for the same reasons as claim 4.


Claims 5-8, 13-16 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Hill (2003/0120688) in view of Koshkin (2018/0173510) in view of Brucker (2017/0169229).

Regarding claim 5, Hill and Koshkin teach
the system of claim 4, further comprising: 
an audit component that generates an audit log based on whether the change to the software artifact addresses a vulnerability in the software artifact (Koshkin, [0085] As another possibility, monitoring the branches for changes may involve deployment orchestrator 110 comparing (i) an identifier of the most-recent version of the manifest on the given branch with (ii) an identifier of the manifest that is currently deployed at the given deployment environment that corresponds to the given branch. For example, the deployment orchestrator may request an identification of the most-recent version of the manifest on the given branch from the change-control server, or may request a changelog of the manifest on the given branch from the change-control server and may obtain the identifier from a changelog received from the change-control server in response to the request.)
Koshkin combined with Hill for the same reasons as claim 4.
Hill-Koshkin does not teach a vulnerability.
However Brucker teaches a vulnerability in the software artifact (Brucker [0034] For example, at the build stage, a build configuration (e.g., maven or ant configurations) of an application can be analyzed to determine a list of components (e.g., libraries and packages) that will be integrated into the application during compilation. [0038] In some implementations, the BOM can be used to monitor the security of application components and track updates to application components. For example, databases or vendor web sites that list known vulnerabilities of software components can be queried for each component (or each version of a component) that is listed in the BOM.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Brucker’s change management system with Hill’s versioning system because doing so improves security when software comprises many components from different sources  (Brucker [0001] Software applications are generally developed by integrating many existing software components. That is, instead of developing new applications from a blank slate, most software applications are built by combining many, at times hundreds of, existing software components such as, proprietary components (e.g., closed-source libraries or device drivers) and Free and Open Source Software (FOSS) components. Furthermore, these components are often created and offered by third-party vendors (e.g., vendors other than the developer of an application that incorporate the components). [0033] As discussed in further detail herein, implementations of the present disclosure provide an efficient and reliable method for generating a comprehensive BOM for a software application and managing the security of the application. In some implementations, a BOM is developed for an application by analyzing multiple aspects of the application and combining the results into comprehensive list of application components (e.g., components used by or incorporated into the application).

Regarding claim 6, Hill, Koshkin and Brucker teach
the system of claim 5, further comprising: 
an analysis component that evaluates the software artifact based on at least one defined threshold selected (Hill, [0071] Registry setting dependencies also control the build order, but they are generated automatically by the CMI as a result of an analysis of component registry inter-dependencies ) (Examiner Note: Hill teaches analyzing components) from the group consisting of a security requirement and a compliance requirement (Brucker, [0057] In some examples, the vulnerability report correlation module 142 is a component of the component monitoring system 106 that correlates vulnerability information from various vulnerability sources such as publicly available vulnerability databases [0058] In some examples, the vulnerability analysis module 140 is a component of the component monitoring system 106 that analyzes determines whether applications are affected by vulnerabilities identified in a component of the application.)
Brucker combined with Hill for the same reasons as claim 5.

Regarding claim 7, Hill, Koshkin and Brucker teach
the system of claim 6, wherein the vulnerability in the software artifact is based on the security requirement (Brucker [0038] In some implementations, the BOM can be used to monitor the security of application components and track updates to application components. For example, databases or vendor web sites that list known vulnerabilities of software components can be queried for each component (or each version of a component) that is listed in the BOM.)
Brucker combined with Hill for the same reasons as claim 5.

Regarding claim 8, Hill, Koshkin and Brucker teach
the system of claim 5, further comprising: an integration component that integrates the change of the software artifact into the software application build set based on the audit log (Koshkin [0085] For example, the deployment orchestrator may request an identification of the most-recent version of the manifest on the given branch from the change-control server, or may request a changelog of the manifest on the given branch from the change-control server [0092] At step 506, after determining the differences between the respective sets of artifacts, the deployment orchestrator causes one or more artifacts to be deployed to a given deployment environment based on the determined differences.)
Koshkin combined with Hill for the same reasons as claim 4.

Claims 13-16 are method claims for the system claims 5-8 and are rejected for the same reasons as claims 5-8.

Claim 20 is program product claims for the system claims 6-8 and are rejected for the same reasons as claims 6-8.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Cowan (7,428,726) teaches software configuration tracking.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRUCE S ASHLEY whose telephone number is (571)270-0315. The examiner can normally be reached 9-5 PDT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jay Kim can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BRUCE S ASHLEY/Examiner, Art Unit 2494                                                                                                                                                                                                        


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 Hill [0071] In the context of building an operating system run-time image, there are three general forms of dependencies: inclusion, build order, and registry setting.