DETAILED ACTION
This is the initial Office action based on the application filed on October 29, 2019.
Claims 1-20 are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Specification
The title of the invention is not descriptive. A new title is required that is clearly indicative of the invention to which the claims are directed.
The following title is suggested: CODE VULNERABILITY DETECTION AND REMEDIATION IN ENTERPRISE SYSTEMS.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-15 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.

Claim 1 is directed to an apparatus comprising at least one processing platform comprising a plurality of processing devices. However, the components of the at least one processing platform (see Figure 1, Element 110) appear to lack the necessary physical components (hardware) to constitute a machine or manufacture under § 101. The components of the at least one processing platform can be construed to cover software under the broadest reasonable interpretation. Although the claim recites “at least one processing platform comprising a plurality of processing devices,” however, the plurality of processing devices (see Figure 1, Element 102) do not appear to be components of the at least one processing platform. Therefore, the claimed apparatus is ineligible subject matter under § 101.
Claims 2-15 depend on Claim 1 and do not cure the deficiency of Claim 1. Therefore, Claims 2-15 are rejected for the same reason set forth in the rejection of Claim 1.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 8, 11, 16, and 19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by US 2018/0157842 (hereinafter “Holz”).

As per Claim 1, Holz discloses:
An apparatus comprising:
at least one processing platform comprising a plurality of processing devices (Figure 1);
said at least one processing platform being configured:
to receive code for computer programming (paragraph [0123], “As shown in FIG. 5, the operation starts with the security vulnerability amalgamation engine receiving source code for various applications (step 510) (emphasis added) …”);
to determine whether at least a portion of the code comprises at least one vulnerability (paragraph [0123], “Security vulnerability analysis is performed on application code, such as by a code vulnerability analysis system (step 530) and security vulnerability information is generated based on the results of the analysis (step 540) [to determine whether at least a portion of the code comprises at least one vulnerability].”);
to compare at least the portion of the code comprising the at least one vulnerability to a knowledge base comprising (i) a plurality of code fragments comprising a plurality of vulnerabilities; and (ii) a plurality of solutions to prevent corresponding ones of the plurality of vulnerabilities (paragraph [0071], “This new version of the source code may be linked to the source code in which security vulnerabilities were found by project identifier or other characteristics mapping source code with one another and with consumers/contributors. The location of this “fixed” or “remediated” version of source code may thus but stored and associated with the security vulnerability as a security vulnerability characteristic in the entries of the repository for that security vulnerability in the repository vulnerability cataloging system 128 [a knowledge base].”; paragraph [0106], “Moreover, additional functionality may be provided for correlating the security vulnerabilities [(i) a plurality of code fragments comprising a plurality of vulnerabilities] with solutions for the security vulnerabilities [(ii) a plurality of solutions to prevent corresponding ones of the plurality of vulnerabilities] and presenting that information in the communications [to compare at least the portion of the code comprising the at least one vulnerability to a knowledge base]. This solution information may be suggestions as to how to avoid the security vulnerabilities, may be to provide information about other code in which the security vulnerability has been eliminated (e.g., patches, fixes, or the like), as well as the location of that code, or the like.”);
to identify, based on the comparing, a code fragment of the plurality of code fragments matching at least the portion of the code comprising the at least one vulnerability (paragraph [0092], “In general, the code vulnerability analysis system 330 scans the source code of the applications and compares the source code against a plurality of known insecure coding techniques [to identify, based on the comparing, a code fragment of the plurality of code fragments matching at least the portion of the code comprising the at least one vulnerability] and implementations using one or more of the various analysis tools 332-340, which includes, but is not limited to, tools for performing code pattern matching, heuristic analysis, function analysis, parameter analysis, boundary failure analysis, and the like (emphasis added).”); and
to execute a solution of the plurality of solutions corresponding to the identified code fragment to prevent the at least one vulnerability in at least the portion of the code (paragraph [0107], “In some cases, the patches or fixes for the security vulnerability may be automatically pushed to the individuals or organizations for implementation into their instances of the source code where the security vulnerability is present [to execute a solution of the plurality of solutions corresponding to the identified code fragment to prevent the at least one vulnerability in at least the portion of the code]. That is, based on the location of patches or fixes for the security vulnerability, the GUI output/notification system 370 may actually retrieve the patch or fix and attach it to any notifications or communications sent to the consumers and contributors that are associated with the source code corresponding to the security vulnerability. Alternatively, a link to the location of the patch/fix may be inserted into the notification or communication.”).

As per Claim 8, the rejection of Claim 1 is incorporated; and Holz further discloses:
wherein said at least one processing platform is further configured to determine a programming language of the code (paragraph [0050], “… either source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like, and conventional procedural programming languages, such as the “C” programming language or similar programming languages.”).

As per Claim 11, the rejection of Claim 1 is incorporated; and Holz further discloses:
wherein, in executing the solution of the plurality of solutions corresponding to the identified code fragment, said at least one processing platform is configured to generate new code without the at least one vulnerability (paragraph [0071], “… when a new version of source code is generated and registered in the SCRAM system 122, a contributor to the new version of source code may designate the new version of source code to be “fixed”, “remediated”, or the like.”).

Claim 16 is a method claim corresponding to the apparatus claim hereinabove (Claim 1). Therefore, Claim 16 is rejected for the same reason set forth in the rejection of Claim 1.

Claim 19 is a computer program product claim corresponding to the apparatus claim hereinabove (Claim 1). Therefore, Claim 19 is rejected for the same reason set forth in the rejection of Claim 1.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 2-4, 6, 7, 17, 18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Holz in view of US 2021/0232376 (hereinafter “Wang”).

As per Claim 2, the rejection of Claim 1 is incorporated; and Holz discloses “at least a portion of code comprising at least one vulnerability,” but Holz does not explicitly disclose:
wherein said at least one processing platform is further configured to convert at least the portion of the code comprising the at least one vulnerability into a code vector representation.
However, Wang discloses:
wherein at least one processing platform is further configured to convert at least a portion of code into a code vector representation (paragraph [0008], “… the present invention provides a vectorized representation method of a software source code.”; paragraph [0016], “After a software source code is converted into the AST, firstly, an identifier sequence of the tree is acquired in a preorder traversing manner, and an existing word embedding technology (such as Word2Vec) is utilized to convert each identifier to be in a vector form to facilitate encoding of an upper layer. Subsequently, the original AST is divided into a statement tree sequence.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Wang into the teaching of Holz to include “wherein said at least one processing platform is further configured to convert at least the portion of the code comprising the at least one vulnerability into a code vector representation.” The modification would be obvious because one of ordinary skill in the art would be motivated to provide a vectorized representation method of a software source code (Wang, paragraph [0008]).

As per Claim 3, the rejection of Claim 2 is incorporated; and Holz does not explicitly disclose:
wherein the code vector representation is independent of a programming language of the code.
However, Wang discloses:
wherein a code vector representation is independent of a programming language of code (paragraph [0004], “According to the latest technology, parsing tools are used to convert a program source code into an abstract syntax tree (AST) to structurally represent the program. On this basis, a neural network method is combined to automatically acquire a vector representation of the program for different tasks and scenarios.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Wang into the teaching of Holz to include “wherein the code vector representation is independent of a programming language of the code.” The modification would be obvious because one of ordinary skill in the art would be motivated to provide a vectorized representation method of a software source code (Wang, paragraph [0008]).

As per Claim 4, the rejection of Claim 2 is incorporated; and Holz further discloses:
wherein, in comparing at least the portion of the code comprising the at least one vulnerability to the knowledge base, said at least one processing platform is configured to compare the code fragment to the plurality of code fragments in the knowledge base (paragraph [0030], “… the illustrative embodiments correlate security vulnerabilities in source code with various instances of that source code present in a plurality of applications, potentially across multiple organizations, development teams, or the like, with regard to developers, maintainers, and customers or users of the applications, and further correlates the instances of that source code with the identified security vulnerabilities with individuals or organizations associated with those instances. ”).
Holz does not explicitly disclose:
a plurality of code vector representations.
However, Wang discloses:
a plurality of code vector representations (paragraph [0008], “… the present invention provides a vectorized representation method of a software source code.”; paragraph [0016], “After a software source code is converted into the AST, firstly, an identifier sequence of the tree is acquired in a preorder traversing manner, and an existing word embedding technology (such as Word2Vec) is utilized to convert each identifier to be in a vector form to facilitate encoding of an upper layer. Subsequently, the original AST is divided into a statement tree sequence.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Wang into the teaching of Holz to include “a plurality of code vector representations.” The modification would be obvious because one of ordinary skill in the art would be motivated to provide a vectorized representation method of a software source code (Wang, paragraph [0008]).

As per Claim 6, the rejection of Claim 2 is incorporated; and Holz discloses “at least a portion of code comprising at least one vulnerability,” but Holz does not explicitly disclose:
wherein, in converting at least the portion of the code comprising the at least one vulnerability into the code vector representation, said at least one processing platform is configured to convert at least the portion of the code comprising the at least one vulnerability into an intermediate code representation.
However, Wang discloses:
wherein, in converting at least a portion of code into a code vector representation, at least one processing platform is configured to convert at least the portion of the code into an intermediate code representation (paragraph [0008], “… the present invention provides a vectorized representation method of a software source code.”; paragraph [0016], “After a software source code is converted into the AST, firstly, an identifier sequence of the tree is acquired in a preorder traversing manner, and an existing word embedding technology (such as Word2Vec) is utilized to convert each identifier to be in a vector form to facilitate encoding of an upper layer. Subsequently, the original AST is divided into a statement tree sequence.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Wang into the teaching of Holz to include “wherein, in converting at least the portion of the code comprising the at least one vulnerability into the code vector representation, said at least one processing platform is configured to convert at least the portion of the code comprising the at least one vulnerability into an intermediate code representation.” The modification would be obvious because one of ordinary skill in the art would be motivated to structurally represent a program (Wang, paragraph [0004]).

As per Claim 7, the rejection of Claim 6 is incorporated; and Holz does not explicitly disclose:
wherein the intermediate code representation comprises an abstract syntax tree.
However, Wang discloses:
wherein an intermediate code representation comprises an abstract syntax tree (paragraph [0008], “… the present invention provides a vectorized representation method of a software source code.”; paragraph [0016], “After a software source code is converted into the AST, firstly, an identifier sequence of the tree is acquired in a preorder traversing manner, and an existing word embedding technology (such as Word2Vec) is utilized to convert each identifier to be in a vector form to facilitate encoding of an upper layer. Subsequently, the original AST is divided into a statement tree sequence.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Wang into the teaching of Holz to include “wherein the intermediate code representation comprises an abstract syntax tree.” The modification would be obvious because one of ordinary skill in the art would be motivated to structurally represent a program (Wang, paragraph [0004]).

Claims 17 and 18 are method claims corresponding to the apparatus claims hereinabove (Claims 2 and 4, respectively). Therefore, Claims 17 and 18 are rejected for the same reasons set forth in the rejections of Claims 2 and 4, respectively.

Claim 20 is a computer program product claim corresponding to the apparatus claim hereinabove (Claim 2). Therefore, Claim 20 is rejected for the same reason set forth in the rejection of Claim 2.

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Holz in view of Wang as applied to Claim 4 above, and further in view of US 2020/0133756 (hereinafter “Sun”).

As per Claim 5, the rejection of Claim 4 is incorporated; and Holz further discloses:
wherein, in comparing at least the portion of the code comprising the at least one vulnerability to the knowledge base (paragraph [0071], “This new version of the source code may be linked to the source code in which security vulnerabilities were found by project identifier or other characteristics mapping source code with one another and with consumers/contributors. The location of this “fixed” or “remediated” version of source code may thus but stored and associated with the security vulnerability as a security vulnerability characteristic in the entries of the repository for that security vulnerability in the repository vulnerability cataloging system 128.”; paragraph [0106], “Moreover, additional functionality may be provided for correlating the security vulnerabilities with solutions for the security vulnerabilities  and presenting that information in the communications. This solution information may be suggestions as to how to avoid the security vulnerabilities, may be to provide information about other code in which the security vulnerability has been eliminated (e.g., patches, fixes, or the like), as well as the location of that code, or the like.”).
The combination of Holz and Wang discloses “a plurality of code vector representations,” but the combination of Holz and Wang does not explicitly disclose:
said at least one processing platform is configured to determine a cosine distance between the code vector representation and the plurality of code vector representations.
However, Sun discloses:
at least one processing platform is configured to determine a cosine distance between a code and a plurality of codes (paragraph [0010], “… determining the similarity between the code and the at least one predetermined code may comprise determining the similarity based on a Euclidean distance or a cosine function between the codes.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Sun into the combined teachings of Holz and Wang to include “said at least one processing platform is configured to determine a cosine distance between the code vector representation and the plurality of code vector representations.” The modification would be obvious because one of ordinary skill in the art would be motivated to measure cohesion within codes.

Claims 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Holz in view of US 2014/0123108 (hereinafter “Cheluvaraju”).

As per Claim 9, the rejection of Claim 1 is incorporated; and Holz discloses “at least a portion of code comprising at least one vulnerability,” but Holz does not explicitly disclose:
wherein said at least one processing platform is further configured to sanitize at least the portion of the code comprising the at least one vulnerability.
However, Cheluvaraju discloses:
wherein at least one processing platform is further configured to sanitize at least a portion of code (paragraph [0029], “The source files in the repository are preprocessed and cleaned to remove code comments and other non-relevant part of the source code.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Cheluvaraju into the teaching of Holz to include “wherein said at least one processing platform is further configured to sanitize at least the portion of the code comprising the at least one vulnerability.” The modification would be obvious because one of ordinary skill in the art would be motivated to remove code comments and other non-relevant part of source code (Cheluvaraju, paragraph [0029]).

As per Claim 10, the rejection of Claim 9 is incorporated; and Holz discloses “at least a portion of code comprising at least one vulnerability,” but Holz does not explicitly disclose:
wherein, in sanitizing at least the portion of the code comprising the at least one vulnerability, said at least one processing platform is configured to remove one or more comments from at least the portion of the code comprising the at least one vulnerability.
However, Cheluvaraju discloses:
wherein, in sanitizing at least a portion of code, at least one processing platform is configured to remove one or more comments from at least the portion of the code (paragraph [0029], “The source files in the repository are preprocessed and cleaned to remove code comments and other non-relevant part of the source code.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Cheluvaraju into the teaching of Holz to include “wherein, in sanitizing at least the portion of the code comprising the at least one vulnerability, said at least one processing platform is configured to remove one or more comments from at least the portion of the code comprising the at least one vulnerability.” The modification would be obvious because one of ordinary skill in the art would be motivated to remove code comments and other non-relevant part of source code (Cheluvaraju, paragraph [0029]).

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Holz in view of US 2018/0150742 (hereinafter “Woulfe”).

As per Claim 12, the rejection of Claim 11 is incorporated; and Holz does not explicitly disclose:
wherein said at least one processing platform is further configured to apply one or more machine learning algorithms to update the knowledge base with data corresponding to the generation of the new code.
However, Woulfe discloses:
wherein at least one processing platform is further configured to apply one or more machine learning algorithms to update a knowledge base with data corresponding to generation of new code (paragraph [0023], “The feature vectors are constructed from a combination of source code files having a software bug and source code files without a software bug. The feature vectors are then split into data that is used to train the machine learning model and data that is used to test the machine learning model. When the machine learning model is trained to meet a desired level of accuracy, the model is then used to predict the probability of a software bug in a source code file.”; paragraph [0040], “The source code repository may track these changes and attribute them to bug fixes. Differential code 306 illustrates the differences between the original source code file 302 and the modified source code file 304 where the source code statement “int[ ] fib=new int[n]” is annotated with the “−” symbol indicating that the associated code statement was altered.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Woulfe into the teaching of Holz to include “wherein said at least one processing platform is further configured to apply one or more machine learning algorithms to update the knowledge base with data corresponding to the generation of the new code.” The modification would be obvious because one of ordinary skill in the art would be motivated to predict the probability of a software bug in a source code file (Woulfe, paragraph [0004]).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Holz in view of US 2017/0185783 (hereinafter “Brucker”).

As per Claim 13, the rejection of Claim 1 is incorporated; and Holz further discloses:
wherein said at least one processing platform is further configured:
to identify, based on the comparing, one or more code fragments of the plurality of code fragments which may correspond to at least the portion of the code comprising the at least one vulnerability (paragraph [0092], “In general, the code vulnerability analysis system 330 scans the source code of the applications and compares the source code against a plurality of known insecure coding techniques and implementations using one or more of the various analysis tools 332-340, which includes, but is not limited to, tools for performing code pattern matching, heuristic analysis, function analysis, parameter analysis, boundary failure analysis, and the like.”); and
to transmit to a user one or more recommended solutions of the plurality of solutions corresponding to the identified one or more code fragments to prevent the at least one vulnerability in at least the portion of the code (paragraph [0107], “In some cases, the patches or fixes for the security vulnerability may be automatically pushed to the individuals or organizations for implementation into their instances of the source code where the security vulnerability is present. That is, based on the location of patches or fixes for the security vulnerability, the GUI output/notification system 370 may actually retrieve the patch or fix and attach it to any notifications or communications sent to the consumers and contributors that are associated with the source code corresponding to the security vulnerability. Alternatively, a link to the location of the patch/fix may be inserted into the notification or communication.”).
Holz discloses “one or more solutions of a plurality of solutions,” but Holz does not explicitly disclose:
one or more recommended solutions of the plurality of solutions.
However, Brucker discloses:
one or more recommended solutions of a plurality of solutions (paragraph [0059], “FIG. 5 depicts an example sequence diagram 500 depicting an example sequence for recommended fixes based on code similarity. In the depicted example, the developer 138 (using the computing device 136) interacts (502) with the development environment 104 to initiate fixing of results (e.g., potential code vulnerabilities).”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Brucker into the teaching of Holz to include “one or more recommended solutions of the plurality of solutions.” The modification would be obvious because one of ordinary skill in the art would be motivated to allow a developer to select a recommendation for fixing source code in question (Brucker, paragraph [0060]).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Holz in view of Brucker as applied to Claim 13 above, and further in view of Woulfe.

As per Claim 14, the rejection of Claim 13 is incorporated; and Holz discloses “at least a portion of code comprising at least one vulnerability,” but Holz does not explicitly disclose:
wherein said at least one processing platform is further configured:
to receive from the user a selection of a recommended solution of the one or more recommended solutions.
However, Brucker discloses:
wherein at least one processing platform is further configured:
to receive from a user a selection of a recommended solution of one or more recommended solutions (paragraph [0059], “FIG. 5 depicts an example sequence diagram 500 depicting an example sequence for recommended fixes based on code similarity. In the depicted example, the developer 138 (using the computing device 136) interacts (502) with the development environment 104 to initiate fixing of results (e.g., potential code vulnerabilities).”; paragraph [0060], “… the list of one or more fix recommendations is displayed to the developer 138, which can select a recommendation for fixing the source code in question.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Brucker into the teaching of Holz to include “wherein said at least one processing platform is further configured: to receive from the user a selection of a recommended solution of the one or more recommended solutions.” The modification would be obvious because one of ordinary skill in the art would be motivated to allow a developer to select a recommendation for fixing source code in question (Brucker, paragraph [0060]).
The combination of Holz and Brucker discloses “a relationship between at least a portion of code comprising at least one vulnerability and a selected recommended solution,” but the combination of Holz and Brucker does not explicitly disclose:
wherein said at least one processing platform is further configured:
to apply one or more machine learning algorithms to update the knowledge base with data corresponding to a relationship between at least the portion of the code comprising the at least one vulnerability and the selected recommended solution.
However, Woulfe discloses:
wherein at least one processing platform is further configured:
to apply one or more machine learning algorithms to update a knowledge base with data (paragraph [0023], “The feature vectors are constructed from a combination of source code files having a software bug and source code files without a software bug. The feature vectors are then split into data that is used to train the machine learning model and data that is used to test the machine learning model. When the machine learning model is trained to meet a desired level of accuracy, the model is then used to predict the probability of a software bug in a source code file.”; paragraph [0040], “The source code repository may track these changes and attribute them to bug fixes. Differential code 306 illustrates the differences between the original source code file 302 and the modified source code file 304 where the source code statement “int[ ] fib=new int[n]” is annotated with the “−” symbol indicating that the associated code statement was altered.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Woulfe into the combined teachings of Holz and Brucker to include “wherein said at least one processing platform is further configured: to apply one or more machine learning algorithms to update the knowledge base with data corresponding to a relationship between at least the portion of the code comprising the at least one vulnerability and the selected recommended solution.” The modification would be obvious because one of ordinary skill in the art would be motivated to predict the probability of a software bug in a source code file (Woulfe, paragraph [0004]).

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Holz in view of US 2020/0394308 (hereinafter “Angelo”).

As per Claim 15, the rejection of Claim 1 is incorporated; and Holz does not explicitly disclose:
wherein said at least one processing platform is further configured:
to determine that the at least one vulnerability is absent from the knowledge base; and
to add the at least one vulnerability and at least the portion of the code to the knowledge base.
However, Angelo discloses:
wherein at least one processing platform is further configured:
to determine that at least one vulnerability is absent from a knowledge base (paragraph [0012], “… as after the product release, entries for the third-party components may be added to the software component vulnerability database to account for newly discovered vulnerability risks, and entries may be supplemented with new information about entries for the third-party components. Moreover, some entries in the software component vulnerability database may be mere placeholders to reserve IDs for future database entries. Accordingly, a placeholder entry may have been created in the software component vulnerability database at the time of the product release; and after the product release, the entry may be updated with a description that identifies one of the third-party components as having a vulnerability risk.”); and
to add the at least one vulnerability and at least a portion of code to the knowledge base (paragraph [0012], “… as after the product release, entries for the third-party components may be added to the software component vulnerability database to account for newly discovered vulnerability risks, and entries may be supplemented with new information about entries for the third-party components. Moreover, some entries in the software component vulnerability database may be mere placeholders to reserve IDs for future database entries. Accordingly, a placeholder entry may have been created in the software component vulnerability database at the time of the product release; and after the product release, the entry may be updated with a description that identifies one of the third-party components as having a vulnerability risk.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Angelo into the teaching of Holz to include “wherein said at least one processing platform is further configured: to determine that the at least one vulnerability is absent from the knowledge base; and to add the at least one vulnerability and at least the portion of the code to the knowledge base.” The modification would be obvious because one of ordinary skill in the art would be motivated to update a Common Vulnerabilities and Exposures (CVE) database containing entries for publicly known vulnerabilities (Angelo, paragraph [0002]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure.
US 2011/0173693 (hereinafter “Wysopal”) discloses the identification and reporting of flaws in software programs.
US 2013/0086689 (hereinafter “Laverdiere-Papineau”) discloses enabling security vulnerability correction in the program code.
US 2017/0286692 (hereinafter “Nakajima”) discloses enabling vulnerability of software to be found without use of a source code.
US 2018/0225460 (hereinafter “Nakajima”) discloses detecting an unknown vulnerability even when there is no source code of software to be tested.
US 2019/0121985 (hereinafter “Hoole”) discloses detecting a vulnerability in an application during execution on a first computing device.
US 2020/0175172 (hereinafter “Parsons”) discloses scanning changed computer instructions to detect vulnerabilities when the changed computer instructions are committed to a version control repository.
US 2021/0209232 (hereinafter “Shim”) discloses identifying whether there is any vulnerability in open sources included in applications that they develop.
US 7,392,545 (hereinafter “Weber”) discloses detecting software security vulnerabilities.
US 10,579,803 (hereinafter “Mueller”) discloses efficiently managing issues such as software security vulnerabilities for development teams.

Any inquiry concerning this communication or earlier communications from the Examiner should be directed to Qing Chen whose telephone number is 571-270-1071. The Examiner can normally be reached on Monday through Friday from 9:00 AM to 5:00 PM EST.
If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, Wei Zhen, can be reached at 571-272-3708. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Any inquiry of a general nature or relating to the status of this application or proceeding should be directed to the TC 2100 Group receptionist whose telephone number is 571-272-2100.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/Qing Chen/
Primary Examiner, Art Unit 2191