Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This office action is in response to communication filed 12/20/2019. claims 1-20 are currently pending and claims 1, 5, and 15 are the independent claims. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 9,727,736 B1. Although the claims at issue are not identical, they are not patentably distinct from each other as seen in the side by side comparison below. For brevity, claims 1-4, 9-10, 12-14, and 20 of the current application are shown below as claims 5-8, 11, and 15-19 recite systems and methods, respectively, having similar limitations to claims 1-4, and 12, respectively. 
Current Application 16/723,479
US Patent 9,727,736 B1
1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, wherein when executed the program causes the at least one computing device to at least: 

perform a first security analysis upon a plurality of first revisions of a plurality of programs, the first security analysis being based at least in part on a plurality of rules; generate first report data identifying a first plurality of security issues found in the first security analysis; perform a second security analysis upon a plurality of second revisions of the plurality of programs, the second security analysis being based at least in part on the plurality of rules; generate second report data identifying a second plurality of security issues found in the second security analysis; and cause the plurality of rules to be updated based at least in part on whether individual ones of the first plurality of security issues are corrected in the plurality of second revisions as determined based at least in part on a comparison of the first plurality of security issues to the second plurality of security issues.
1. A system, comprising: a computing device; and an application executable in the computing device, wherein when executed the application causes the computing device to at least:


in response to receiving report data identifying a plurality of issues in a first revision of a program, determine whether individual ones of the plurality of issues have been corrected in a second revision of the program, the report data being generated by an analysis tool; and modify a configuration of the analysis tool based at least in part on a status of the individual ones of the plurality of issues in the second revision of the program, wherein the configuration of the analysis tool includes a plurality of rules corresponding to a plurality of possible issues, individual ones of the plurality of possible issues are associated with corresponding scoring metadata, and modifying the configuration of the analysis tool further comprises modifying the scoring metadata that is associated with at least one issue that has not been corrected in the second revision of the program.
2. The non-transitory computer-readable medium of claim 1, wherein when executed the program further causes the at least one computing device to at least

determine a developer who wrote first source code corresponding to at least a threshold quantity of the first plurality of security issues that are corrected in the plurality of second revisions.
8. The system of claim 1, wherein when executed the application further causes the computing device to at least: 


identify a user responsible for at least a threshold impact of the plurality of issues; and determine at least one of: a coding characteristic associated with the user based at least in part on a source code analysis of source code written by the user; or a configuration characteristic associated with the user based at least in part on an analysis of one or more operational configurations written by the user.
3. The non-transitory computer-readable medium of claim 2, wherein when executed the program further causes the at least one computing device to at least 

determine a coding characteristic associated with the developer based at least in part on a source code analysis of second source code written by the developer.
8. The system of claim 1, wherein when executed the application further causes the computing device to at least:…


 determine at least one of: a coding characteristic associated with the user based at least in part on a source code analysis of source code written by the user…
4. The non-transitory computer-readable medium of claim 3, 

wherein the coding characteristic comprises at least one of: a variable name characteristic, an indentation characteristic, a code commenting characteristic, or an optional punctuation usage characteristic.
19. The method of claim 18, 


wherein the coding characteristic comprises at least one of: a variable name characteristic, an indentation characteristic, a code commenting characteristic, or an optional punctuation usage characteristic.
9. The system of claim 7, wherein the coding characteristic is a stylistic characteristic that does not directly cause a security issue.
10. A system, comprising:…wherein the coding characteristic or the configuration characteristic is a stylistic characteristic that does not directly cause a security issue.
10. The system of claim 7, 
wherein the second source code does not exhibit the at least one first security issue or the at least one second security issue
11. A system, comprising:… and 
wherein the source code upon which the source code analysis is performed does not exhibit the plurality of issues.
12. The system of claim 5, wherein causing the plurality of rules to be updated further comprises 
modifying a configuration of a security analysis tool used to perform the security analysis.
1. A system, comprising:… 
the report data being generated by an analysis tool; and modify a configuration of the analysis tool based at least in part on a status of the individual ones of the plurality of issues in the second revision of the program, wherein the configuration of the analysis tool includes a plurality of rules corresponding to a plurality of possible issues…
13. The system of claim 5, wherein when executed the at least one application further causes the at least one computing device to 

automatically execute a security analysis tool to perform the security analysis upon the at least one second revision of the at least one program in response to receiving the at least one second revision of the at least one program.
3. The system of claim 1, wherein when executed the application further causes the computing device 


to at least, in response to receiving the second revision of the program, automatically execute the analysis tool to perform an analysis on the second revision of the program.
14. The system of claim 5, wherein 
the security analysis comprises a static code analysis and 





a dynamic code analysis.
6. The system of claim 1, wherein 
the report data is generated based at least in part on a static analysis of the first revision of the program by the analysis tool.

7. The system of claim 1, 
wherein the report data is generated based at least in part on a dynamic analysis of the first revision of the program by the analysis tool.
20. The method of claim 15, further comprising 


determining, via at least one of one or more computing devices, whether the at least one first security issue is corrected in the at least one second revision further based at least in part on manual selection data indicating a subset of the at least one first security issue that is planned to be corrected in the at least one second revision of the at least one program.
5. The system of claim 1, wherein when executed the application further causes the computing device to at least 

determine whether the individual ones of the plurality of issues are corrected based at least in part on manual selection data indicating a subset of the plurality of issues that are planned to be corrected in the second revision of the program.




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 5, 11-13, 15, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Gray et al. (herein called Gray) (US Patent 8,892,954 B1) and Dancy et al. (herein called Dancy) (US PG Pub. 2014/0095934 A1).

As per claim 1, Gray teaches: a non-transitory computer-readable medium embodying a program executable in at least one computing device, wherein when executed the program causes the at least one computing device to at least: 
perform a first security analysis upon a plurality of first revisions of a plurality of programs (col. 3 lines 55-col. 4 line 65, computing devices each have a first version of an application in operation that has problem/fault/etc. causing the application to crash, such as when application attempts to access memory it is not permitted to access/application becomes unresponsive/application consumes more resources than is allowed/etc., and crash report is generated and submitted to crash report system/module for analysis/determination as to whether threshold amount of crash reports have been received/etc. and a determination is made to provide a second version of the application to computing devices.); 
generate first report data identifying a first plurality of security issues found in the first security analysis (col. 3 lines 55-col. 4 line 65, col. 5 lines 30-40, col. 6 lines 5-20, computing devices each have a first version of an application in operation that has problem/fault/etc. (security issue) causing the application to crash, such as when application attempts to access memory it is not permitted to access/application becomes unresponsive/application consumes more resources than is allowed/etc., crash report is generated and submitted to crash report system/module for analysis/determination, cause of crashes/fault/problem/etc. is determined, and determination is made as to whether the cause is corrected by a second version of the application.); 
perform a second security analysis upon a plurality of second revisions of the plurality of programs (col. 4 line 57-col. 5 line 40, col. 6 lines 5-25, information for versions of application also associates each version with causes of crashes/problem/fault/etc. corrected by the version, and if amount of crash reports received is greater than threshold amount then crash report module determines second version corrects the cause/causes of the crash reports/fault/problem in the first version/etc. (second version/revision of the application/program has security analysis performed/determined to correct cause of crash/problem/fault/etc. of the first version).); 
generate second report data identifying a second plurality of security issues found in the second security analysis (col. 5 lines 19-40, col. 6 lines 5-25, version information of application associates each version with causes of crashes/problems/faults/etc. that are corrected by the version, and crash report module determines causes of crash reports/problems/etc. of first version are corrected by second version of application (information/determination/report data/etc. identifies security issues/problems/faults/causes of crash/etc. corrected by second version in second security analysis of second version/version information of second version/determination of second version/etc.).); and 
individual ones of the first plurality of security issues are corrected in the plurality of second revisions as determined based at least in part on a comparison of the first plurality of security issues to the second plurality of security issues (col. 3 lines 60-col. 4 line 10, col. 5 lines 19-40, col. 6 lines 5-25, first version of application experiences fault/problem/security issue causing application to crash and crash report is generated and sent to crash report system/module which determines second version of application that corrects the problem/issue in the crash report, and information for versions of application associates versions of application with causes of crashes corrected by the versions/security issues corrected by the versions/etc. which is used to determine second version of application corrects the problem/issues resulting in the crash. As information for versions is used to determine second version that corrects problem/issue in the crash report of first version and information for versions associates application versions with causes of crashes/problems/security issues corrected by the version, the first plurality of security issues/faults/problems in crash report is compared to security issues in second plurality of security issues/faults/problems/causes of crash reports corrected by versions as indicated in information for versions to determine second version that corrects problems/faults/issues in crash report for first version, and as such individual ones of the first plurality of security issues/faults/problems/etc. in first crash report are corrected in the plurality of second revisions/second application versions as determined based at least in part on a comparison of the first plurality of security issues to the second plurality of security issues.).
While Gray teaches receiving crash reports indicating faults/problems/security issue/etc. of a first version and determining a second version that corrects the issues/problems/faults/etc. of the first version, it does not explicitly state, however  teaches:
the first security analysis being based at least in part on a plurality of rules (pars. [0023]-[0025], [0029], problem reports in response to errors/application protocol problems/etc. have mapping policies/rules used to create data structures illustrating associations among data in reports.);
the second security analysis being based at least in part on the plurality of rules (pars. [0004], [0014], [0025], [0029]-[0030], mapping policies/rules are used to create mapping data structure and mapping policies/rules and mapping data structure are used to generate test cases to that test execution of second version of software product developed that addresses the errors/problems reported (second security analysis based on rules/policies identifies/determines/etc. that security issues/problems/faults/errors/etc. reported are corrected/addressed by second version).); and 
cause the plurality of rules to be updated based at least in part on whether individual ones of the first plurality of security issues are corrected in the plurality of second revisions as determined based at least in part on a comparison of the first plurality of security issues to the second plurality of security issues (pars. [0025], [0029], mapping policies/rules and mapping data structure are updated/modified/etc. in response to new problem reports being received/based on test case production metrics indicated in mapping policies/etc.. As mapping policies/rules are modified/updated in response to new problem reports being received, problem reports are received in response to problems occurring in application versions deployed to user/customer/etc., and the second version is developed and deployed to user/customer/etc. to correct/address/etc. problem/error/security issue/etc., it is obvious that the modified/updated policies in response to new problem reports received for second application version deployed that addresses/corrects the problem/security issue in first version/application is cause the rules/policies to be updated/modified based at least in part on whether individual ones of the first plurality of security issues/problems are corrected in the plurality of second revisions as determined based at least in part on a comparison of the first plurality of security issues to the second plurality of security issues/rules/policies are updated/modified based on whether second application/version corrects security issues/problems/errors of first application when it is deployed after determining that it addresses/corrects/etc. the issues/problems/errors.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to add the first security analysis being based at least in part on a plurality of rules; the second security analysis being based at least in part on the plurality of rules; and cause the plurality of rules to be updated based at least in part on whether individual ones of the first plurality of security issues are corrected in the plurality of second revisions as determined based at least in part on a comparison of the first plurality of security issues to the second plurality of security issues, as conceptually taught by Dancy, into that of Gray because these modifications allow for versions of applications to be developed over their lifecycle that correct/address/etc. problems/errors/security issues/etc. that occur when they are deployed to users/customers/etc., thereby helping to ensure that issues/problems/errors/etc. that occur/are encountered/etc. by the application versions may be corrected/fixed/addressed/etc., which is desirable as it helps ensure that issues/errors are corrected and the deployed applications operate correctly as desired.

As per claims 5, 11, and 15, they recite systems and a method, respectively, having similar limitations to the non-transitory computer-readable medium of claim 1, and are rejected for the same reasoning as claim 1, above. 

As per claim 12, Gray does not explicitly state, however Dancy teaches:
wherein causing the plurality of rules to be updated further comprises modifying a configuration of a security analysis tool used to perform the security analysis (pars. [0025], [0029]-[0030], mapping policies/rules are used to generate mapping data structure and policies/rules and data structure are updated/modified/etc. in response to new problem reports being received/based on test case production metrics indicated in mapping policies/etc. and used to generate test cases used to test execution of second version of application associated with problems/security issues/etc..).
Therefore it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to add wherein causing the plurality of rules to be updated further comprises modifying a configuration of a security analysis tool used to perform the security analysis, as conceptually taught by Dancy, into that of Gray, because these modifications allow for versions of applications to be developed over their lifecycle that correct/address/etc. problems/errors/security issues/etc. that occur when they are deployed to users/customers/etc., thereby helping to ensure that issues/problems/errors/etc. that occur/are encountered/etc. by the application versions may be corrected/fixed/addressed/etc., which is desirable as it helps ensure that issues/errors are corrected and the deployed applications operate correctly as desired.

As per claim 13, Gray further teaches: wherein when executed the at least one application further causes the at least one computing device to automatically execute a security analysis tool to perform the security analysis upon the at least one second revision of the at least one program in response to receiving the at least one second revision of the at least one program (col. 4 line 57-col. 5 line 40, col. 6 lines 5-25, information for versions of application associates each version with causes of crashes/problem/fault/etc. corrected by the version (as such versions are received along with information for versions), and crash report module determines second version that corrects problems resulting in the crash reports from the first version of the application using the information for versions of the application (automatically execute security analysis tool/crash report module/etc. to perform security analysis on the second revision/determine second version that corrects problems resulting in the crash reports from the first version).).

As per claim 19, it recites a method having similar limitations to the non-transitory computer-readable medium of claim 12, as is therefore rejected for the same reasoning as claim 12, above. 

As per claim 20, Gray does not explicitly state, however Dancy teaches: 
determining, via at least one of one or more computing devices, whether the at least one first security issue is corrected in the at least one second revision further based at least in part on manual selection data indicating a subset of the at least one first security issue that is planned to be corrected in the at least one second revision of the at least one program (par. [0025], [0029]-[0030], mapping policies are applied to problem report of problems with first version to create mapping data structure/are used to create test cases/etc. which are used to develop and test execution of second version/first security issue is corrected in the second revision/etc., and user modifies mapping policies (manual selection data). As the mapping policies are used/applied to problem report/etc. to develop and test second version, and user may modify policies, the user modifying the mapping policies is manual selection indicating a subset of the security issues planned to be corrected in second revision/user modifying policies used to develop and test second version to ensure issue/problem is correct in second version/etc.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to add determining, via at least one of one or more computing devices, whether the at least one first security issue is corrected in the at least one second revision further based at least in part on manual selection data indicating a subset of the at least one first security issue that is planned to be corrected in the at least one second revision of the at least one program, as conceptually taught by Dancy, into that of Gray because these modifications allow for increases user/developer/etc. control of the development process of the application versions thereby helping to ensure that developers correct/fix/etc. issues/problems/etc. that they desire/that are more critical/etc., thereby increasing user control over the development process and helping to ensure that the application operates as desired by the developer.

Claims 2-4, 6-8, 10, and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Gray et al. (herein called Gray) (US Patent 8,892,954 B1) and Dancy et al. (herein called Dancy) (US PG Pub. 2014/0095934 A1) in further view of Kogan-Katz et al. (herein called Katz) (US PG Pub. 2015/0355998 A1).

As per claim 2, while Gray and Dancy teach developing application versions, receiving reports of problems/errors/faults/security issues and developing further application version that corrects/addresses the problems/errors/faults/issues/, they do not explicitly state, however Katz teaches:
wherein when executed the program further causes the at least one computing device to at least determine a developer who wrote first source code corresponding to at least a threshold quantity of the first plurality of security issues that are corrected in the plurality of second revisions (pars. [0016], [0021]-[0023], applications are monitored during execution and logs/error logs are created that associated errors/security issues with source code/code portions/etc. and developer that added/modified/etc. (wrote) the code/portion associated with error/issue (source code corresponding to first security issues/error/problem/at least a threshold quantity of first plurality of issues) is associated with the code associated with the error (determine developer who wrote first source code corresponding to first security issues that identified in error log/report/etc. and are corrected in second revision/second version).).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to add wherein when executed the program further causes the at least one computing device to at least determine a developer who wrote first source code corresponding to at least a threshold quantity of the first plurality of security issues that are corrected in the plurality of second revisions, as conceptually taught by Katz, into that of Gray and Dancy because these modifications allow for identification of the developers responsible for/that developed/etc. the code that corresponds to the error to be determined thereby allowing them to be notified of the errors so they may correct/modify/update/etc. the code to address the error, which is desirable as it helps ensure that errors are corrected and the application operates as desired by its developer.

As per claim 3, Gray further teaches: wherein when executed the program further causes the at least one computing device to at least determine a coding characteristic associated with the developer based at least in part on a source code analysis of second source code written by the developer (col. 4 line 57-col. 5 line 40, col. 6 lines 5-25, second application version developed by developers is determined to correct problem associated with first version.).

As per claim 4, Gray further teaches: wherein the coding characteristic comprises at least one of: a variable name characteristic, an indentation characteristic, a code commenting characteristic, or an optional punctuation usage characteristic (col. 5 lines 30-40, information for the versions of the application associates versions with causes of crashes that are corrected by the version. As the information for versions associates the versions with the causes of crashes/problems/issues corrected by the versions, the information is comments/data/information/etc. about the version/code/etc., and as such the coding characteristic/cause/problem corrected by the version is a code commenting/information/etc. characteristic.).

As per claims 6-8 and 16-18, they recite a system and a method, respectively, having similar limitations to the non-transitory computer-readable medium of claim 2-4, respectively, and are rejected for the same reasoning as claim 2-4, respectively, above.

As per claim 10, Gray further teaches: wherein the second source code does not exhibit the at least one first security issue or the at least one second security issue (col. 5 lines 15-40, col. 6 lines 15-25, second version of application/second source code corrects the problem that resulted in the crash report from the first version/cause of the crash report/first security issue. As the second version/second source code corrects the problem/cause/first security issue it is obvious that the second version/second source code does not exhibit/contain/etc. the problem/cause/first security issue.).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Gray et al. (herein called Gray) (US Patent 8,892,954 B1) and Dancy et al. (herein called Dancy) (US PG Pub. 2014/0095934 A1) in further view of Lockhart et al. (herein called Lockhart) (US Patent 8,499,353 B2).

As per claim 14, Gray and Dancy do not explicitly state, however Lockhart teaches:
wherein the security analysis comprises a static code analysis and a dynamic code analysis (col. 4 line 58-col. 5 line 60, analysis engine receives application code and interacts with testing engines/review modules/etc. such as a dynamic testing engine, static testing engine, etc. which are used to test/analyze/etc. the application for security threats/problems/issues/etc., As dynamic and static testing engines are used to test/analyze/etc. application code for security threats, it is obvious that security analysis comprises static and dynamic code analysis.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to add wherein the security analysis comprises a static code analysis and a dynamic code analysis, as conceptually taught by Lockhart, into that of Gray and Dancy, because these modifications allow for a method of effective and efficient testing/analysis/etc. of the code to be performed to find security issues/problems/etc., thereby helping to ensure that the application/code is adequately tested for issues/problems and that issues/problems are found/identified so they may be corrected, thereby helping to ensure that the application/code/program operates correctly as intended.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DOUGLAS M SLACHTA whose telephone number is (571)270-0653. The examiner can normally be reached Monday-Friday 6:30am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do can be reached on 571-272-3721. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DOUGLAS M SLACHTA/           Examiner, Art Unit 2193