DETAILED ACTION
Remarks
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This Office Action is filed in response to Applicant’s arguments and amendment dated February 9, 2022.  Claims 1-20 remain pending in the application and have been fully considered by Examiner.    
Applicant's arguments with respect to the prior art rejections have been considered, but are not persuasive, as detailed below in the Prior Art Argument - Rejections section.

Examiner Notes
Examiner cites particular columns, paragraphs, figures and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in their entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.


Prior Art Arguments – Rejections
Applicant’s arguments have been fully considered by Examiner, but they are not persuasive, as follows:

With respect to claims 1, 9, and 16, Applicant primarily argues that “GenProg only searches one program whereas claims 1, 9, and 16 each recites, "first repair example...of a first software program, and the second repair example...of a second software program’”1.  In response, Examiner first notes that claims must be “given their broadest reasonable interpretation consistent with the specification.” Phillips v. AWH Corp., 415 F.3d 1303, 75 USPQ2d 1321 (Fed. Cir. 2005).  Although claims of issued patents are interpreted in light of the specification, prosecution history, prior art and other claims, this is not the mode of claim interpretation to be applied during examination. During examination, the claims must be interpreted as broadly as their terms reasonably allow. In re American Academy of Science Tech Center, 367 F.3d 1359, 1369, 70 USPQ2d 1827, 1834 (Fed. Cir. 2004) (The USPTO uses a different standard for construing claims than that used by district courts; during examination the USPTO must give claims their broadest reasonable interpretation in light of the specification.).  Significantly, Applicant has not claimed that the “first software program” and “second software program” are different programs.  Applicant’s argument is therefore unpersuasive. 

With respect to all dependent claims, Applicant references the arguments made with respect to claims 1, 9, and 16, which are unpersuasive for the reasons set forth above.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1 and 3-20 are rejected under 35 U.S.C. 103 as being unpatentable over Claire Le Goues et al., “GenProg: A Generic Method for Automatic Software Repair” (hereinafter Goues) in view of Papaxenopoulos et al. 20180336356 (hereinafter Papaxenopoulos).

	With respect to claim 1, Goues discloses A method, comprising: 
	identifying at least one first string in a first repair example and at least one second string in a second repair example, wherein the first repair example is configured to repair a first violation of a first software program, and the second repair example is configured to repair a second violation of a second software program, and wherein the first violation and the second violation are string-related violations (e.g., Figs. 1-3 and 5 along with associated text, e.g., p. 56, left column, GenProg searches for valid variants of the original program that do not display the specified buggy behavior [identifying at least one first string and second string in a first and second repair example, the first and second repair examples configured to repair first and second violations].... we assume that most defects [violations] can be repaired by adapting existing code from another location in the program [repair example configured to repair a violation]. In practice, a program that makes a mistake in one location often handles a similar situation correctly in another;; see also pp. 54-55, GenProg uses only statements [string] from the program itself to repair errors and does not invent new code, p. 55, p. 55, left column, the algorithm can repair multiple types of errors, and Section 4 Repair descriptions at pp. 59-61.); 
	generating a first set of string edit actions for the first software program based on the identified at least one first string in the first repair example and the first violation (e.g., Figs. 1-3 and 5 along with associated text, e.g., p. 58, right column, The search terminates successfully when GP discovers a primary repair that passes all test cases. ....Therefore, GenProg minimizes the primary repair to produce the final repair, expressed as a list of edits in standard diff format, see also p. 58, left column, first paragraph.); 
	generating a second set of string edit actions for the second software program based on the identified at least one second string in the second repair example and the second violation (Id.; see also p. 55, left column, the algorithm can repair multiple types of errors.); 
	determining one or more [common] string edit actions based on the generated first set of string edit actions and the generated second set of string edit actions (e.g., Figs. 1-3 and 5 along with associated text, e.g., p. 58, left column, DIFFX edits can be converted automatically to standard diff patches, which can either be applied automatically to the system or presented to developers for inspection); and 
	[applying the determined one or more common string edit actions on a string-related third violation of a third software program to generate a repaired third software program].
	Goues does not appear to explicitly disclose that the determined one or string edit actions are common string edit actions, or applying the determined one or more common string edit actions on a string-related third violation of a third software program to generate a repaired third software program.  However, this is taught by Papaxenopoulos (e.g., [0019], A security patch rule (e.g., API, etc.) can include rules for applying a plurality of possible patches (e.g., classes, libraries, etc.) to the source code and/or representation based on the vulnerabilities including, for example, multiple types of encryption to implement, multiple source code modifications, or combinations of these and/or other types of patches to the source code [combining source code patches, i.e. common string edit actions]; [0034], provided by the static security analysis application The patched source code representation can then be integrated with the rest of the source code by, for example, committing the code 112 to a source code repository before the next scan of the source code to find additional vulnerabilities [applying the determined one or more common string edit actions on a string-related third violation of a third software program to generate a repaired third software program]; see also [0030].).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the technique of Goues with the invention of Papaxenopoulos because it “addresses the need in the art for automatic and directed remediation (by a security application) of security vulnerabilities in software applications and/or source code,” as suggested by Papaxenopoulos (see [0014]).  

With respect to claim 9, Goues discloses One or more non-transitory computer-readable storage media configured to store instructions that, in response to being executed, cause a system to perform operations (e.g., pp. 61-62, Section 5.1 Experimental Setup, This section reports the results of experiments that use GenProg to repair errors in multiple legacy programs: 1) evaluating repair success over multiple trials and 2) measuring performance and scalability in terms of fitness function evaluations and wall-clock time.... Our experiments were conducted on a quad-core 3 GHz machine.), the operations comprising: 
identifying at least one first string in a first repair example and at least one second string in a second repair example, wherein the first repair example is configured to repair a first violation of a first software program, and the second repair example is configured to repair a second violation of a second software program, and wherein the first violation and the second violation are string-related violations (e.g., Figs. 1-3 and 5 along with associated text, e.g., p. 56, left column, GenProg searches for valid variants of the original program that do not display the specified buggy behavior [identifying at least one first string and second string in a first and second repair example, the first and second repair examples configured to repair first and second violations].... we assume that most defects [violations] can be repaired by adapting existing code from another location in the program [repair example configured to repair a violation]. In practice, a program that makes a mistake in one location often handles a similar situation correctly in another;; see also pp. 54-55, GenProg uses only statements [string] from the program itself to repair errors and does not invent new code, p. 55, p. 55, left column, the algorithm can repair multiple types of errors, and Section 4 Repair descriptions at pp. 59-61.); 
generating a first set of string edit actions for the first software program based on the identified at least one first string in the first repair example and the first violation (e.g., Figs. 1-3 and 5 along with associated text, e.g., p. 58, right column, The search terminates successfully when GP discovers a primary repair that passes all test cases. ....Therefore, GenProg minimizes the primary repair to produce the final repair, expressed as a list of edits in standard diff format, see also p. 58, left column, first paragraph.); 
generating a second set of string edit actions for the second software program based on the identified at least one second string in the second repair example and the second violation (Id.; see also p. 55, left column, the algorithm can repair multiple types of errors.); 
determining one or more [common] string edit actions based on the generated first set of string edit actions and the generated second set of string edit actions (e.g., Figs. 1-3 and 5 along with associated text, e.g., p. 58, left column, DIFFX edits can be converted automatically to standard diff patches, which can either be applied automatically to the system or presented to developers for inspection); and 
[applying the determined one or more common string edit actions on a string- related third violation of a third software program to generate a repaired third software program].
	Goues does not appear to explicitly disclose that the determined one or string edit actions are common string edit actions, or applying the determined one or more common string edit actions on a string-related third violation of a third software program to generate a repaired third software program.  However, this is taught by Papaxenopoulos (e.g., [0019], A security patch rule (e.g., API, etc.) can include rules for applying a plurality of possible patches (e.g., classes, libraries, etc.) to the source code and/or representation based on the vulnerabilities including, for example, multiple types of encryption to implement, multiple source code modifications, or combinations of these and/or other types of patches to the source code [combining source code patches, i.e. common string edit actions]; [0034], provided by the static security analysis application The patched source code representation can then be integrated with the rest of the source code by, for example, committing the code 112 to a source code repository before the next scan of the source code to find additional vulnerabilities [applying the determined one or more common string edit actions on a string-related third violation of a third software program to generate a repaired third software program]; see also [0030].).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the invention of Goues with the invention of Papaxenopoulos because it “addresses the need in the art for automatic and directed remediation (by a security application) of security vulnerabilities in software applications and/or source code,” as suggested by Papaxenopoulos (see [0014]).  


With respect to claim 16, Goues discloses An electronic device, comprising: 
a processor (e.g., pp. 61-62, Section 5.1 Experimental Setup, This section reports the results of experiments that use GenProg to repair errors in multiple legacy programs: 1) evaluating repair success over multiple trials and 2) measuring performance and scalability in terms of fitness function evaluations and wall-clock time.... Our experiments were conducted on a quad-core 3 GHz machine.) configured to: 
identify at least one first string in a first repair example and at least one second string in a second repair example, wherein the first repair example is configured to repair a first violation of a first software program, and the second repair example is configured to repair a second violation of a second software program, and wherein the first violation and the second violation are string- related violations (e.g., Figs. 1-3 and 5 along with associated text, e.g., p. 56, left column, GenProg searches for valid variants of the original program that do not display the specified buggy behavior [identify at least one first string and second string in a first and second repair example, the first and second repair examples configured to repair first and second violations].... we assume that most defects [violations] can be repaired by adapting existing code from another location in the program [repair example configured to repair a violation]. In practice, a program that makes a mistake in one location often handles a similar situation correctly in another;; see also pp. 54-55, GenProg uses only statements [string] from the program itself to repair errors and does not invent new code, p. 55, p. 55, left column, the algorithm can repair multiple types of errors, and Section 4 Repair descriptions at pp. 59-61.); 
generate a first set of string edit actions for the first software program based on the identified at least one first string in the first repair example and the first violation (e.g., Figs. 1-3 and 5 along with associated text, e.g., p. 58, right column, The search terminates successfully when GP discovers a primary repair that passes all test cases. ....Therefore, GenProg minimizes the primary repair to produce the final repair, expressed as a list of edits in standard diff format, see also p. 58, left column, first paragraph.); 
generate a second set of string edit actions for the second software program based on the identified at least one second string in the second repair example and the second violation (Id.; see also p. 55, left column, the algorithm can repair multiple types of errors.); 
determine one or more [common] string edit actions based on the generated first set of string edit actions and the generated second set of string edit actions (e.g., Figs. 1-3 and 5 along with associated text, e.g., p. 58, left column, DIFFX edits can be converted automatically to standard diff patches, which can either be applied automatically to the system or presented to developers for inspection.); and 
[apply the determined one or more common string edit actions on a string- related third violation of a third software program to generate a repaired third software program].
	Goues does not appear to explicitly disclose that the determined one or string edit actions are common string edit actions, or apply the determined one or more common string edit actions on a string-related third violation of a third software program to generate a repaired third software program.  However, this is taught by Papaxenopoulos (e.g., [0019], A security patch rule (e.g., API, etc.) can include rules for applying a plurality of possible patches (e.g., classes, libraries, etc.) to the source code and/or representation based on the vulnerabilities including, for example, multiple types of encryption to implement, multiple source code modifications, or combinations of these and/or other types of patches to the source code [combining source code patches, i.e. common string edit actions]; [0034], provided by the static security analysis application The patched source code representation can then be integrated with the rest of the source code by, for example, committing the code 112 to a source code repository before the next scan of the source code to find additional vulnerabilities [applying the determined one or more common string edit actions on a string-related third violation of a third software program to generate a repaired third software program]; see also [0030].).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the technique of Goues with the invention of Papaxenopoulos because it “addresses the need in the art for automatic and directed remediation (by a security application) of security vulnerabilities in software applications and/or source code,” as suggested by Papaxenopoulos (see [0014]).  

With respect to claims 3, 10, and 17, Goues also discloses identifying a first plurality of strings in the first repair example of the first software program (e.g., Figs. 1-3 and 5 along with associated text, e.g., p. 56, left column, GenProg searches for valid variants of the original program that do not display the specified buggy behavior [identifying a first plurality of strings in the first repair example of the first software program].... we assume that most defects [violations] can be repaired by adapting existing code from another location in the program. In practice, a program that makes a mistake in one location often handles a similar situation correctly in another; see also pp. 54-55, GenProg uses only statements [string] from the program itself to repair errors and does not invent new code, p. 55, p. 55, left column, the algorithm can repair multiple types of errors, and Section 4 Repair descriptions at pp. 59-61.); 
identifying a second plurality of strings in the second repair example of the second software program (Id.; see also see also p. 55, left column, the algorithm can repair multiple types of errors.); 
generating the first set of string edit actions for each of the identified first plurality of strings (e.g., Figs. 1-3 and 5 along with associated text, e.g., p. 58, right column, The search terminates successfully when GP discovers a primary repair that passes all test cases. ....Therefore, GenProg minimizes the primary repair to produce the final repair, expressed as a list of edits in standard diff format, see also p. 58, left column, first paragraph.); 
generating the second set of string edit actions for each of the identified second plurality of strings (Id.; see also p. 55, left column, the algorithm can repair multiple types of errors.); and 
determining the one or more [common] string edit actions based on the generated first set of string edit actions and the generated second set of string edit actions (e.g., Figs. 1-3 and 5 along with associated text, e.g., p. 58, left column, DIFFX edits can be converted automatically to standard diff patches, which can either be applied automatically to the system or presented to developers for inspection) and Papaxenopoulos discloses common (e.g., [0019], A security patch rule (e.g., API, etc.) can include rules for applying a plurality of possible patches (e.g., classes, libraries, etc.) to the source code and/or representation based on the vulnerabilities including, for example, multiple types of encryption to implement, multiple source code modifications, or combinations of these and/or other types of patches to the source code [combining source code patches, i.e. common string edit actions]; [0034], provided by the static security analysis application The patched source code representation can then be integrated with the rest of the source code by, for example, committing the code 112 to a source code repository before the next scan of the source code to find additional vulnerabilities; see also [0030].).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the technique of Goues with the invention of Papaxenopoulos for the same reason set forth above with respect to claims 1, 9, and 16.

With respect to claims 4, 11, and 18, Goues also discloses generating a node for each of the generated first set of string edit actions for the identified at least one first string in the first repair example of the first software program (e.g., p. 58, right column, Since concrete syntax is inefficient to minimize, we have adapted the DIFFX XML differencing algorithm [23] to work on CIL ASTs. Modified DIFFX generates a list of treestructured edit operations, such as “move the subtree rooted at node X to become the Y the child of node Z.”; see also p. 57, left column, GenProg generates a program AST using the off-theshelf CIL toolkit [28]; p. 57, right column, Changes to statements in P athP are reflected in its corresponding AST, p. 58, We compile the variant’s AST to an executable program.); 
generating a first graph based on associations between the generated nodes for the generated first set of string edit actions (Id., particularly, Abstract Syntax Tree (AST) [i.e., graph].); 
generating a node for each of the generated second set of string edit actions for the identified at least one second string in the second repair example of the second software program (Id.; see also p. 55, left column, the algorithm can repair multiple types of errors.); and 
generating a second graph based on associations between the generated nodes for the generated second set of string edit actions  (Id., particularly, Abstract Syntax Tree (AST) [i.e., graph].).

With respect to claims 5, 12, and 19, Goues also discloses identifying a first plurality of strings in the first repair example of the first software program(e.g., Figs. 1-3 and 5 along with associated text, e.g., p. 56, left column, GenProg searches for valid variants of the original program that do not display the specified buggy behavior [identifying a first plurality of strings in the first repair example of the first software program].... we assume that most defects [violations] can be repaired by adapting existing code from another location in the program. In practice, a program that makes a mistake in one location often handles a similar situation correctly in another; see also pp. 54-55, GenProg uses only statements [string] from the program itself to repair errors and does not invent new code, p. 55, p. 55, left column, the algorithm can repair multiple types of errors, and Section 4 Repair descriptions at pp. 59-61.); and generating a plurality of graphs based on each of the identified first plurality of strings (e.g., p. 58, right column, Since concrete syntax is inefficient to minimize, we have adapted the DIFFX XML differencing algorithm [23] to work on CIL ASTs [graph]. Modified DIFFX generates a list of treestructured edit operations, such as “move the subtree rooted at node X to become the Y the child of node Z.”; see also p. 57, left column, GenProg generates a program AST using the off-theshelf CIL toolkit [28]; p. 57, right column, Changes to statements in P athP are reflected in its corresponding AST, p. 58, We compile the variant’s AST to an executable program.).

With respect to claims 6, 13, and 20, Goues also discloses determining one or more common nodes based on the generated first graph and the second graph (e.g., p. 58, right column, Since concrete syntax is inefficient to minimize, we have adapted the DIFFX XML differencing algorithm [23] to work on CIL ASTs [graph]. Modified DIFFX generates a list of treestructured edit operations, such as “move the subtree rooted at node X to become the Y the child of node Z.” [common node]; see also p. 57, left column, GenProg generates a program AST using the off-theshelf CIL toolkit [28]; p. 57, right column, Changes to statements in PathP are reflected in its corresponding AST, p. 58, We compile the variant’s AST to an executable program.), wherein the determined one or more common nodes correspond to the determined one or more [common] string edit actions (Id.) and Papaxenopoulos discloses common string edit actions (e.g., [0019], A security patch rule (e.g., API, etc.) can include rules for applying a plurality of possible patches (e.g., classes, libraries, etc.) to the source code and/or representation based on the vulnerabilities including, for example, multiple types of encryption to implement, multiple source code modifications, or combinations of these and/or other types of patches to the source code [combining source code patches, i.e. common string edit actions]; [0034], provided by the static security analysis application The patched source code representation can then be integrated with the rest of the source code by, for example, committing the code 112 to a source code repository before the next scan of the source code to find additional vulnerabilities; see also [0030].).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the technique of Goues with the invention of Papaxenopoulos for the same reason set forth above with respect to claims 1, 9, and 16.

With respect to claims 7 and 14, Goues also discloses determining a pairwise alignment associated with the at least one first string in the first repair example and the first violation of the first software program (e.g., Figs. 1-3 and associated text, e.g., p. 57, left column, The weighted path is a sequence of <statement; weight> pairs [pairwise alignment] that constrains the mutation operators to a small, likely relevant (more highly weighted) subset of the program tree [associated with the at least one first string in the first repair example and the first violation of the first software program].); and generating the first set of string edit actions based on the determined pairwise alignment (Id.; see also p. 57, right column, Path weighting is necessary to repair the majority of the programs we have investigated: Without it, the search space is typically too large to search efficiently [generating the first set of string edit actions based on the determined pairwise alignment].).

With respect to claims 8 and 15, Goues also discloses wherein the first repair example includes the at least one first string and at least one first program code of the first software program (e.g., Figs. 1-3 and 5 along with associated text, e.g., p. 56, left column, GenProg searches for valid variants of the original program that do not display the specified buggy behavior.... we assume that most defects [violations] can be repaired by adapting existing code from another location in the program [first repair example includes the at least one first string and at least one first program code of the first software program]. In practice, a program that makes a mistake in one location often handles a similar situation correctly in another;; see also pp. 54-55, GenProg uses only statements [string] from the program itself to repair errors and does not invent new code, p. 55, p. 55, left column, the algorithm can repair multiple types of errors, and Section 4 Repair descriptions at pp. 59-61.).

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Claire Le Goues in view of Papaxenopoulos, as applied to claim 1 above, and further in view of Rohde et al. 20120054728 (hereinafter Rohde).

	With respect to claim 2, Goues in view of Papaxenopoulos does not appear to explicitly disclose storing the determined one or more common string edit actions in a database.  However, this is taught in analogous art, Rohde (e.g., [0015], The various embodiments include methods of providing complete patch data for a program such as an operating system, as well as methods of maintaining a database of patch data current for patch updates. The various methods allow construction of a complete and correct database of patch information and proper patch updates by obtaining the complete database using multiple sources. The sources include in one embodiment the actual patch file, metadata reference files associated with the patch file, files included with the patch file, third party sources, and customer- or user-supplied source material.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the invention of Rohde because “patch management has become important, especially for large organizations,” as suggested by Rohde.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Specifically, Koyuncu et al. “FixMiner: Mining relevant fix patterns for automated program repair” discloses a systematic and automated approach to mining relevant and actionable fix patterns based on an iterative clustering strategy applied to atomic changes within patches, and Ma et al. “VuRLE: Automatic Vulnerability Detection and Repair by Learning from Examples” discloses creating edit patterns for automated code repair based in part on the longest common substring of edit operations in two edit blocks.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN DAVID BERMAN whose telephone number is (571)272-7206.  The examiner can normally be reached on M-F, 9-6 Eastern.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hyung S. Sough can be reached on 571-272-6799.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/STEPHEN D BERMAN/Examiner, Art Unit 2192                                                                                                                                                                                                        


/Thuy Dao/Primary Examiner, Art Unit 2192                                                                                                                                                                                                        

	
	
	


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 See Remarks at pp. 8-9.