DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office action is in response to the amendment and the communication filed on 05/16/2022.
As per instant Examiner Amendment, claims 1-2, 7-9, 13 and 15-16 have been amended. Claims 1-20 have been examined and are pending in this application. 
Claims 1, 8 and 15 are independent.
Claims 1-20 are allowed.

Examiner Amendments


An Examiner's Amendment to the record appears below. Should the changes and/or additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
In attempt to accelerate the prosecution process, the Examiner has contacted the Applicant’s representative, Ms. Ruthleen E. Uy (Reg No. 51361) and conducted a telephone interview on 05/31/2022. During the interview, The Examiner suggested rolling up Claim 2 into Claim 1. Mirror other independent claims with amended claim 1, and for putting the application in condition for allowance. Authorization for this Examiner's Amendment was given by Ms. Ruthleen E. Uy (Reg No. 51361), on 05/31/2022. Ms. Ruthleen E. Uy has agreed and authorized the Examiner’s amendment. 


Amendments to the Claims:

Please replace claims 1-2, 7-9, 13 and 15-16 as following:

Claim 1: 	(Currently Amended) A method for securing vulnerabilities in a software package, the method comprising performing, by a computer system:
receiving a set of libraries corresponding to third-party software used by the software package;
storing, in a database of the computer system, a uniform resource identifier (“URI”) for each library within the set of libraries; 
searching, by the computer system, a public domain for newer versions of each library of a list of afflicted libraries based on the URI for each library;
determining [[a]] the list of afflicted libraries from the set of libraries, wherein each library of the list of afflicted libraries is affected by a vulnerability;
determining one or more afflicted libraries from the list of afflicted libraries upon which an application of the software package depends, wherein the application executes code from the one or more afflicted libraries, and wherein the application calls the one or more afflicted libraries;
identifying, for each library of the one or more afflicted libraries in the list of afflicted libraries, a number of code calls that include the vulnerability, where a code call is made by an application program interface (API) of the application of the software package, and wherein the code calls are made to code within each library of the one or more afflicted libraries;
assigning a risk score to the API based on the number of code calls;
comparing the risk score of the API to a threshold risk value; and
causing a remedial action for each afflicted library called by the API in response to the risk score exceeding the threshold risk value.

Claim 2.	(Currently Amended) The method of claim 1, further comprising:


storing, in the database, release notes and changelogs associated with the newer versions; and
wherein the searching of the public domain is performed using a web crawler implemented by the computer system.

Claim 7.	(Currently Amended) The method of claim 1, wherein a higher risk score indicates a higher chance of a security breach and a lower risk score indicates a lower chance of [[a]] the security breach.

Claim 8.	(Currently Amended) A non-transitory computer-readable medium comprising instructions that are executable by a processing device for causing the processing device to:
receive a set of libraries corresponding to third-party software used by a software package;
store a uniform resource identifier (“URI”) for each library within the set of libraries; 
search a public domain for newer versions of each library of a list of afflicted libraries based on the URI for each library;
determine [[a]] the list of afflicted libraries from the set of libraries, wherein each library of the list of afflicted libraries is affected by a vulnerability;
determine one or more afflicted libraries from the list of afflicted libraries upon which an application of the software package depends, wherein the application executes code from the one or more afflicted libraries, and wherein the application calls the one or more afflicted libraries;
identify, for each library of the one or more afflicted libraries in the list of afflicted libraries, a number of code calls that include the vulnerability, where a code call is made by an application program interface (API) of the application of the software package, and wherein the code calls are made to code within each library of the one or more afflicted libraries;
assign a risk score to the API based on the number of code calls;
compare the risk score of the API to a threshold risk value; and
cause a remedial action for each afflicted library called by the API in response to the risk score exceeding the threshold risk value.

Claim 9.	(Currently Amended) The non-transitory computer-readable medium of claim 8 further comprising instructions that are executable by the processing device to:


store release notes and changelogs associated with the newer versions, wherein the search of the public domain is performed using a web crawler.

Claim 13.	(Currently Amended) The non-transitory computer-readable medium of claim 8 wherein a higher risk score indicates a higher chance of a security breach and a lower risk score indicates a lower chance of [[a]] the security breach.

Claim 15.	(Currently Amended) A system comprising:
a processing device,
a communications port, and
a non-transitory computer-readable medium comprising instructions that are executable by the processing device to:
receive, by the communication port, a set of libraries corresponding to third-party software used by a software package;
store a uniform resource identifier ("URI") for each library within the set of libraries;
search a public domain for newer versions of each library of a list of afflicted libraries based on the URI for each library;
determine [[a]] the list of afflicted libraries from the set of libraries, wherein each library of the list of afflicted libraries is affected by a vulnerability;
determine one or more afflicted libraries from the list of afflicted libraries upon which an application of the software package depends, wherein the application executes code from the one or more afflicted libraries, and wherein the application calls the one or more afflicted libraries;
identify, for each library of the one or more afflicted libraries in the list of afflicted libraries, a number of code calls that include the vulnerability, where a code call is made by an application program interface (API) of the application of the software package, and wherein the code calls are made to code within each library of the one or more afflicted libraries;
assign a risk score to the API based on the number of code calls;
compare the risk score of the API to a threshold risk value; and
cause a remedial action for each afflicted library called by the API in response to the risk score exceeding the threshold risk value.

Claim 16.	(Currently Amended) The system of claim 15, the non-transitory computer-readable medium further comprising instructions that are executable by the processing device to:


store release notes and changelogs associated with the newer versions, wherein the search of the public domain is performed using a web crawler.




Response to Arguments/Remarks
Claim 1-20 are allowed

Examiner’s Statement of reason for Allowance
Claims 1-20 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The present invention is to create mapping third-party libraries to microservices used in an application of a software package. Generate a list of libraries afflicted and a number of code calls from an application program interface can be made to an afflicted library. A risk score can be assigned to the API based on the number of code calls and compared against a threshold value to cause a remedial action to occur regarding the afflicted libraries.
The closest prior art, as previously recited, are Kadam (US 20190079734), GUO (US 20160232351), LEE (US 20130226975), Hunt (US 20180124110), Maier (US 20070006222), Mulchandan (US 20160357967), Beale (US 20180069889) in which, Kadam (US 20190079734) discloses upgrading libraries in a source code program by evaluating libraries in the source code program for predetermined selection criteria specifying library performance limitations to identify at least a first library which does not meet the plurality of predetermined selection criteria and then identifying a first alternative library that is suitable for substitution for the first library so that the source code program may be automatically modified to replace the first library with the first alternative library, thereby generating a modified source code program having an upgraded library functionality. GUO (US 20160232351) discloses running a virus sample to be tested and recording an API call sequence produced during running of the virus sample. Obtaining a characteristic API call sequence for each one of a plurality of virus families, matching the API call sequence produced during running of the virus sample to be tested with the characteristic API call sequences of the virus families, and obtaining a matching result. LEE (US 20130226975) discloses selected by a user among content files stored in a plurality of categories having different access steps to obtain information on the content file; and a file manager including a container manager to generate a virtual container by using the information obtained through the information obtaining unit, and to store the information on the content file to provide it to a user. Hunt (US 20180124110) discloses detecting malicious behavior using an accomplice model. The accomplice model may determine that a URI is associated with malicious behavior based upon the URI being associated with an attribute determined to be related to malicious behavior. Maier (US 20070006222) discloses aborting the installation if the first and second software components have matching component identifiers and a current-version identifier of the first software component signifies an earlier version than an earliest-compatible-version identifier of the second software component. Mulchandan (US 20160357967) discloses a request to determine a risk level for a particular process; accessing one or more signatures that provide one or more snapshots of characteristics of the particular process at one or more previous times; identifying one or more differences between the particular process in its current form and the one or more signatures; accessing information identifying previous usage of the computer system's resources by the particular process; determining a current risk score for the particular process. Beale (US 20180069889) discloses identified and one or more values associated with a security breach for the additional assets of the network infrastructure that are associated with the asset may be received.
However, none of Kadam (US 20190079734), GUO (US 20160232351), LEE (US 20130226975), Hunt (US 20180124110), Maier (US 20070006222), Mulchandan (US 20160357967), Beale (US 20180069889) in which, Kadam (US 20190079734), teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent Claim 1 and similarly Claim 8 and Claim 15. For example, none of the cited prior teaches or suggest the steps of Claim 1 and similarly Claim 8 and Claim 15: receiving a set of libraries corresponding to third-party software used by the software package; storing, in a database of the computer system, a uniform resource identifier (“URI”) for each library within the set of libraries; searching, by the computer system, a public domain for newer versions of each library of a list of afflicted libraries based on the URI for each library; determining the list of afflicted libraries from the set of libraries, wherein each library of the list of afflicted libraries is affected by a vulnerability; determining one or more afflicted libraries from the list of afflicted libraries upon which an application of the software package depends, wherein the application executes code from the one or more afflicted libraries, and wherein the application calls the one or more afflicted libraries; identifying, for each library of the one or more afflicted libraries in the list of afflicted libraries, a number of code calls that include the vulnerability, where a code call is made by an application program interface (API) of the application of the software package, and wherein the code calls are made to code within each library of the one or more afflicted libraries; assigning a risk score to the API based on the number of code calls; comparing the risk score of the API to a threshold risk value; and causing a remedial action for each afflicted library called by the API in response to the risk score exceeding the threshold risk value.

Therefore, the claims are allowable over the cited prior art.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  
For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


	/C.W./Examiner, Art Unit 2439   


	/JAHANGIR KABIR/Primary Examiner, Art Unit 2439