DETAILED ACTION
Remarks
This office action is in response to the amendment filed on 8/12/2022.
Claims 1, 3-12, 14-16, and 18-20 have been amended.
Objection to claims 3-4, 7-15, and 18 is withdrawn in view of Applicant’s amendment.
Objection to specification is withdrawn in view of Applicant’s amendment.
The 35 U.S.C. 112 second paragraph rejection to claims 7-11 and 13-15 is withdrawn in view of the Applicant’s amendment. However, claim 12 has not been changed. Therefore, 112b rejection to claim 12 is maintained.
Claims 1-20 remain pending and have been examined.


Information Disclosure Statement
One of the information disclosure statements filed 3/10/2020 has been placed in the application file and the information referred to therein has been considered.
As indicated in previous office action (mailed on 3/29/2022), a copy of NPL listed in one of IDS filed on 3/10/2020 is missing. However, this NPL still has not been received by office so far.
One of IDS filed on 3/10/2020, indicates that “List of Patents or Patent Applications Treated as Related dated March 19, 2020, 2 pgs”( listed in “NO-PATENT LITERATURE DOCUMENTS” section). However, no copy of such non-patent literature document has been received.

Response to Arguments/Amendments
Applicant’s amendment filed on 8/12/2022 necessitated additional clarification and/or the new ground(s) of rejection presented in this Office action.
Applicant’s arguments filed on 8/12/2022, in particular on pages 12-17, have been fully considered but they are not persuasive. For example:
At remarks page number 12-14, Applicant submits that “the description of Dalessio with respect to a request 304 that enables to identify and locate an application package in a platform, is fundamentally different from, and unrelated to, obtaining a list of dependencies used by a deployed application that is deployed on the deployment platform, wherein said obtaining is based on a time of deployment of the deployed application”
However, Examiner respectfully disagrees.
	It is noted that the new limitation merely recites: “wherein said obtaining is based on a time of deployment of the deployed application” [emphasis added]. The recited “based on a time of deployment of the deployed application” can be reasonable interpreted as based on current time (a time) of deployment as disclosed by Dalessio (i.e., “currently deployed application package” – current time deployed, see col.5, lines 4-11) that the obtained/retrieved information states are based on the currently/current time/”a time” of deployment of the deployed application/package. 
Dalessio discloses a report server for generating/obtaining “information states of currently deployed application packages…The information states cam include library dependency lists for application package 202…” (i.e., col.5, lines 4-11). Dalessio also discloses “[t]he report server 102 can determine one or more dependency trees for the application package. Each dependency tree indicates hierarchical dependencies of libraries of the deployed application package” (i.e., col.3, lines 42-45). Therefore, Dalessio’s report server to obtaining a list of dependencies in information states for the currently deployed application teaches the limitation about “said obtaining is based on a time of deployment of the deployed application”.
At Remarks page number 16, Applicant submits that “the recited extrapolation of the list of dependencies cannot be interpreted as the generation of dependencies by Parser 308 of Dalessio, at least since Parser 308 does not extrapolate the list of dependencies. Conversely, Parser 308 of Dalessio is a portion of the report server that is merely configured to parse the application package and the metadata to determine names and versions of libraries that are hard-coded in text strings. Parser 308 identified dependencies using hard-coded text strings of the application package and a checksum of a visited library, which cannot be read on an extrapolation”.
However, Examiner respectfully disagrees.
It is noted that claim language merely recites “obtaining a package specification of the deployed application and extrapolating the list of dependencies based on the package specification and based on a time of deployment of the deployed application”. It can be seen that the extrapolating/determining is based on the obtained package speciation and a time for the deployed application. 
As discussed above, Dalessio discloses a report server to retrieve information states of currently deployed application packages, wherein the information states can include library dependency lists for application package (i.e., col.5, lines 4-11). Dalessio further discloses the report server “analyzes the bits and the metadata to determine libraries depended upon by the application package”. That is to say Dalessio’s analysis result does determine/extrapolate the dependencies.
At Remarks page number 16-17 Applicant submits that “Dalessio fails to teach that the list of dependencies is determined by Parser 308 based on a time of deployment of the deployed application”
	However, Examiner respectfully disagrees.
As discussed above “a time of deployment of the deployed application” can be reasonable interpreted as “currently deployed application package” that the current time/”a time” of deployment of the deployed application/package. 
Dalessio discloses a report server for generating/obtaining “information states of currently deployed application packages…The information states can include library dependency lists for application package 202…” [emphasis added] (i.e., col.5, lines 4-11). Therefore, Dalessio’s report server to “retrieve information states of currently deployed application packages” discloses the limitation about “a time of deployment of the deployed application” as recited.
At Remarks page number 17, Applicant submits that “the cited art, alone or in combination, fails to teach or suggest, let alone disclose "obtaining the list of dependencies comprises one of the following: (1) sending a query via an Application Programming Interface (API) of the development platform to obtain the list of dependencies of the deployed application; (2) obtaining application files of the deployed application via the API of the development platform, wherein the application files are files uploaded to the deployment platform by a developer of the deployed application at or before deployment thereof; and extracting the list of dependencies from the application files; and (3) obtaining a package specification of the deployed application and extrapolating the list of dependencies based on the package specification and based on a time of deployment of the deployed application"
However, Examiner respectfully disagrees.
It is noted that claim language merely recites “obtaining the list of dependencies comprise one of the following…” [emphasis added], which means it is not necessary to discloses all three limitation. Dalessio discloses a report server to retrieve information states of currently deployed application packages, wherein the information states can include library dependency lists for application package (i.e., col.5, lines 4-11). Dalessio further discloses the report server “analyzes the bits and the metadata to determine libraries depended upon by the application package”. Therefore, Dalessio discloses one of following limitation about “(3) obtaining a package specification of the deployed application and extrapolating the list of dependencies based on the package specification and based on a time of deployment of the deployed application”.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 12 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 12:
line 10, “the version number” is not clear whether it refers to “a minimal version number” in line 7 or “a maximum version number” in line 8 of the claim. For the purpose of compact prosecution, Examiner treats "the version number" as --a version number--.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).

Claims 1, 4-6, 16, and 19-20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claim1, 6-8, and 21 issued Patent No. US10,691,577B2 in view of Alam (Michael Alam, WO2017/173344A1) -see table below:
Claim 7 is rejected on the ground of nonstatutory obviousness-type double patenting as being anticipated by claim 10 of the issued Patent US10,691,577B2:
Instant Application
16/823,393
Patent
US10,691,577B2
Claim 1:
A method performed by a processing apparatus external to a deployment platform, wherein said method comprising: 

obtaining a list of dependencies used by a deployed application that is deployed on the deployment platform, 







wherein said obtaining is based on a time of deployment of the deployed application; 













mapping each dependency of the list of dependencies with a flaws database, wherein the flaws database comprising an indication of known flaws for different dependencies and different versions thereof; and 

based on said mapping, determining one or more flaws in the deployed application, wherein said determining the one or more flaws is performed externally to the deployment platform and without executing a monitoring process thereon; 

[filtering the one or more flaws using at least one criterion, whereby obtaining one or more reportable flaws; and 

reporting the one or more reportable flaws to a developer of the deployed application].  







 




Claim 1:
A method performed by a processing apparatus external to a deployment 
platform, wherein said method comprises: 

obtaining a list of dependencies used 
by an application that is deployed on the deployment platform; said obtaining 
the list of dependencies comprising: 

retrieving a package specification of the 
application from the deployment platform, wherein said retrieving is performed in response to a retrieval query sent to the deployment platform;  

determining a time of deployment of the application, wherein the time of deployment is a time when the application was deployed on the deployment platform; and 

resolving the package specification based on the time of deployment, said resolving comprising determining a set of dependencies that were obtained by the deployment platform at the time of deployment in order to satisfy the package specification, by mimicking the resolution performed by the deployment platform;  

mapping each dependency of the list of dependencies with a flaws database, the flaws database comprising indications of known flaws for different dependencies and different versions thereof; and 



based on said mapping, determining one or more flaws in the application, wherein said determining the one or more flaws is performed externally to the deployment platform and without executing a monitoring process thereon.
Claim 7:
An apparatus comprising a processor of a processing apparatus the processor adapted obtain a list of dependencies used by a deployed application that is deployed on the deployment platform, wherein said obtaining the list of dependencies comprises one of the following:GAU 2192 (1) sending a query via an Application Programming Interface (API) of the development platform to obtain the list of dependencies of the deployed application; (2) obtaining application files of the deployed application via the API of the development platform, wherein the application files are files uploaded to the deployment platform by a developer of the deployed application at or before deployment thereof; and extracting the list of dependencies from the application files; and (3) obtaining a package specification of the deployed application and extrapolating the list of dependencies based on the package specification and based on a time of deployment of the deployed application; 




map each dependency of the list of dependencies with a flaws database, the flaws database comprising an indication of known flaws for different dependencies and different versions thereof; based on said mapping, 

determine one or more flaws in the deployed application, wherein said determining the one or more flaws is performed externally to the deployment platform and without executing a monitoring process thereon; 

[filter the one or more flaws using at least one criterion, whereby obtaining one or more reportable flaws; and report the one or more reportable flaws to the developer of the deployed application].

Claim 1:
A method performed by a processing apparatus external to a deployment 
platform, wherein said method comprises: 

obtaining a list of dependencies used 
by an application that is deployed on the deployment platform; said obtaining 
the list of dependencies comprising: 

retrieving a package specification of the 
application from the deployment platform, wherein said retrieving is performed in response to a retrieval query sent to the deployment platform;  

determining a time of deployment of the application, wherein the time of deployment is a time when the application was deployed on the deployment platform; and 

resolving the package specification based on the time of deployment, said resolving comprising determining a set of dependencies that were obtained by the deployment platform at the time of deployment in order to satisfy the package specification, by mimicking the resolution performed by the deployment platform;  

mapping each dependency of the list of dependencies with a flaws database, the flaws database comprising indications of known flaws for different dependencies and different versions thereof; and 

based on said mapping, determining one or more flaws in the application, wherein said determining the one or more flaws is performed externally to the deployment platform and without executing a monitoring process thereon.
Claim 16
A non-transitory computer readable medium comprising instructions, wherein said instructions, when read by a processor of a processing apparatus external to a deployment platform, cause the processor to perform: 


obtaining a list of dependencies used by a deployed application that is deployed on the deployment platform, wherein said obtaining the list of dependencies comprises one of the following:
(1) sending a query via an Application Programming Interface (API) of the development platform to obtain the list of dependencies of the deployed application; (2) obtaining application files of the deployed application via the API of the development platform, wherein the application files are files uploaded to the deployment platform by a developer of the deployed application at or before deployment thereof; and extracting the list of dependencies from the application files; and (3) obtaining a package specification of the deployed application and extrapolating the list of dependencies based on the package specification and based on a time of deployment of the deployed application; 7 GAU 2192 


mapping each dependency of the list of dependencies with a flaws database, wherein the flaws database comprising an indication of known flaws for different dependencies and different versions thereof; 


based on said mapping, determining one or more flaws in the deployed application, wherein said determining the one or more flaws is performed externally to the deployment platform and without executing a monitoring process thereon; 

[filtering the one or more flaws using at least one criterion, whereby obtaining one or more reportable flaws; and reporting the one or more reportable flaws to the developer of the deployed application.]
Claim 21:
A non-transitory computer readable medium comprising instructions, 
wherein said instructions, when read by a processor, cause the processor to 
perform: 


obtaining a list of dependencies used by an application that is deployed on the deployment platform;  

said obtaining the list of dependencies comprising: 

retrieving a package specification of the application from the deployment platform, wherein said retrieving is performed in response to a retrieval query sent to the deployment platform;  
determining a time of deployment of the application, wherein the time of deployment is a time when the application was deployed on the deployment platform; and 
resolving the package specification based on the time of deployment, said resolving comprising determining a set of dependencies that were obtained by the deployment platform at the time of deployment in order to satisfy the package specification, by mimicking the resolution performed by the deployment platform;  


mapping each dependency of the list of dependencies with a flaws database, the flaws database comprising indications of known flaws for different dependencies and different versions thereof; and 



based on said mapping, determining one or more flaws in the application, wherein said determining the one or more flaws is performed externally to the deployment platform and without executing a monitoring process thereon. 

Claim 4
Claim 6
Claim 5
Claim 7
Claim 6

Claim 8
Claim 19
Claim 7
Claim 20
Claim 8


Claims 1 and 16:
Claim 1 of issued patent (US10,691,577B2) claims the limitations as recited in claim 1 of the instant application as shown in the table above. 
However, claims 1 or 21 of issued patent (US10,691,577B2) does not explicitly claim the recited limitation about “filtering the one or more flaws using at least one criterion, whereby obtaining one or more reportable flaws” and “reporting the one or more reportable flaws to a developer of the deployed application”.
However, Alam discloses the limitation about filtering the one or more flaws using at least one criterion, whereby obtaining one or more reportable flaws (i.e., Fig.4, steps 402-404, “Retrieve error events” and “Filter error events according to user defined criteria”), and reporting the one or more reportable flaws to a developer of the deployed application (i.e., Fig.4, steps 406-408, “Display report results generated by processed report rules”). 
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to incorporate Alam’s flaws filtering and report feature. One would have been motivated to do so to “generate meaningful test report” (see paragraph [0034], “…generate meaningful test report. The processing of the error events may allow similar errors to be combined together, other issues to be identified, possible corrections identified, and other information reported”).

Claim 7:
Claim 1 of the issued patent (US10,691,577B2) claims the all limitations performed by the apparatus as recited in claim 7 of the instant application as shown in the table above. It is obvious the method/step requires the apparatus to perform and realized the claimed limitation. Therefore, it is rejected on the ground of no-statutory obviousness-type double patenting as being anticipated by claim 10 of the issued patent.
However, claim of issued patent (US10,691,577B2) does not explicitly claim the recited limitation about “filtering the one or more flaws using at least one criterion, whereby obtaining one or more reportable flaws” and “reporting the one or more reportable flaws to a developer of the deployed application”.
However, Alam discloses the limitation about filtering the one or more flaws using at least one criterion, whereby obtaining one or more reportable flaws (i.e., Fig.4, steps 402-404, “Retrieve error events” and “Filter error events according to user defined criteria”), and reporting the one or more reportable flaws to a developer of the deployed application (i.e., Fig.4, steps 406-408, “Display report results generated by processed report rules”). 
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to incorporate Alam’s flaws filtering and report feature. One would have been motivated to do so to “generate meaningful test report” (see paragraph [0034], “…generate meaningful test report. The processing of the error events may allow similar errors to be combined together, other issues to be identified, possible corrections identified, and other information reported”).

Claims 4-6 and 19-20:
Claims 4-6 and 19-20 with similar limitation as recited are considered obvious to one having ordinary skill in the art at the time the invention in view of claim 6-8 of the issued parent paten (US10,691,577 B2) modified by above. Therefore, they are rejected on the ground of no-statutory obviousness-type double patenting as being unpatentable over claim 6-8 of the US patent US10,691,577B2 in view of Alam.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-7, 9-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Dalessio (Dalessio et al., US10,235,527B1 – cite from IDS filed on 3/19/2020) in view of Alam (Michael Alam, WO2017/173344A1).
With respect to claim 1, Dalessio discloses:
A method performed by a processing apparatus (i.e., “Report Server” – Fig.1:102) external to a deployment platform (i.e., “Cloud Development Platform” – Fig.1:104), wherein said method comprising: 
obtaining a list of dependencies (i.e., “dependency tree”) used by a deployed application that is deployed on the deployment platform (see Fig.1, and col.3:42-57, “The report server 102 can determine one or more dependency trees for the application package.  Each dependency tree indicates hierarchical dependencies of libraries of the deployed application package”), wherein said obtaining is based on a time of deployment of the deployed application (i.e., col.5, lines 4-11, “retrieve information states of currently deployed application packages”).
mapping each dependency of the list of dependencies (i.e., “Dependency Data Store”) with a flaws database  (i.e., “Library Data Store(s)”/“Software Vulnerability DB”), wherein the flaws database comprising an indication of known flaws (i.e., “status information 122”) for different dependencies and different versions thereof (see Fig.1-3, items 118 - “Library Data Store(s)”, item 208-“Software Vulnerability DB”, item 314 - Dependency Data Store”, item 316 – Status Module”,  and col.3:65-col.4:8, “a library data store can be a software vulnerability database storing information on whether, and to what degree, a particular version of a library is vulnerable to what kind of security breach”); and 
based on said mapping, determining one or more flaws in the deployed application, wherein said determining the one or more flaws (i.e., “Listing 3: Example vulnerability Report”) is performed externally to the deployment platform (i.e., “Report Engine 318” in “Report Server 102” and  “Cloud Deployment Platform 104” – externally to each other) and without executing a monitoring process thereon (i.e., Fig.1 and 3 – determining is performed in Report Server - without executing a monitoring process in Cloud Deployment Platform; and Fig.7, step 708 – Determining…vulnerabilities of each library”); 
[filtering the one or more flaws using at least one criterion, whereby obtaining one or more reportable flaws]; and 
reporting the one or more reportable flaws to a developer of the deployed application (i.e., Fig.1, item 124 – “Report” and Fig.7 step 710 – “Providing a notification to a client device indicating that the application is vulnerable to one or more security breaches” and “Listing 3: Example vulnerability Report” in col.9 and Fig.4).  

Dalessio does not explicitly disclose the limitation about “filtering the one or more flaws using at least one criterion, whereby obtaining one or more reportable flaws”.
However, Alam discloses the limitation about filtering the one or more flaws using at least one criterion, whereby obtaining one or more reportable flaws (i.e., Fig.4, steps 402-404, “Retrieve error events” and “Filter error events according to user defined criteria”). 
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to incorporate Alam’s flaws filtering and report feature. One would have been motivated to do so to “generate meaningful test report” (see paragraph [0034], “…generate meaningful test report. The processing of the error events may allow similar errors to be combined together, other issues to be identified, possible corrections identified, and other information reported”).

With respect to claim 2, Dalessio discloses:
 wherein said reporting the one or more reportable flaws is performed without executing processes on the deployment platform (i.e., “Report Server”/ “Cloud Development Platform”– Fig.1:102/104 – using “Report Engine 318” in “Report Server 102” – Fig.3), using an external processing apparatus in network communication (i.e., “Report Server” in cloud network/system – Fig.1) with the deployment platform to mitigate a lack of processing resources available at the deployment platform (i.e., Fig.1 and 3; Also see col.7:66-col.8:2).  

With respect to claim 3, Dalessio discloses:
wherein said obtaining the list of dependencies comprises:
obtaining a package specification of the deployed application (i.e., “Application Package 202”) and extrapolating the list of dependencies (i.e., dependencies generated by the “Dependency Analyzer 302” /“Parser 308” in “Dependency Data Store 314”) based on the package specification  (i.e., “Application Package 202”) and based on a time of deployment of the deployed application (i.e., “Application Name 304” – a time the application has been deployed)(see Fig.3, items 202, 302-381 and col.3:42-57, col.6:31- col.7:58).  

With respect to claim 4, Dalessio discloses:
wherein the deployment platform is [a Function as a Service (FaaS) platform upon which the deployed application deployed] or a Platform as a Service (PaaS) platform upon which the deployed application is deployed (i.e., “PaaS” – see col.1, lines 26-28, “The deployment platform is sometimes referred to as a cloud-based application deployment platform or platform as a service (PaaS)”).  

With respect to claim 5, Dalessio discloses:
 monitoring updates in the flaws database to identify flaws relevant for the deployed application; and in response to identifying a new flaw in the deployed application, reporting the new flaw (i.e., col.4, lines 15-19, “the library index database can store version information including a current version number of a library…the most recent release, a release date of the current version, a list of previous versions of the libraries and their respective release dates, release notes of each version, a list of differences between the current version and a previous version, a status of a previous version”- Notes: different version of release with current version and previous versions indicating monitoring/reporting feature).  

With respect to claim 6, Alam further discloses:
 Wherein the at least one criterion comprises a user-defined criterion, the method further comprising: determining, based on the user-defined criterion, whether a determined flaw is to be reported (i.e., Fig.4, steps 402-404, “Retrieve error events” and “Filter error events according to user defined criteria”); and reporting only a subset of the flaws that match the user-defined criterion (i.e., Fig.3, item 302 – Error Events, time 304 – Filtered Error Event” items 306a-d – Selected Report Rules” and item 308a-f – “Displayed Report Result”). 
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to further incorporate Alam’s flaws filtering and report feature. One would have been motivated to do so to “generate meaningful test report” (see paragraph [0034], “…generate meaningful test report. The processing of the error events may allow similar errors to be combined together, other issues to be identified, possible corrections identified, and other information reported”).  

With respect to claims 7 and 16, Dalessio discloses:
 A non-transitory computer readable medium, and an apparatus comprising a processor of a processing apparatus that is external to a deployment platform, the apparatus comprising coupled memory, the processor adapted to 
obtain a list of dependencies used by a deployed application that is deployed on the deployment platform (see Fig.1, and col.3:42-57, “The report server 102 can determine one or more dependency trees for the application package.  Each dependency tree indicates hierarchical dependencies of libraries of the deployed application package”), wherein said obtaining the list of dependencies comprises one of the following:GAU 2192 [(1) sending a query via an Application Programming Interface (API) of the development platform to obtain the list of dependencies of the deployed application; (2) obtaining application files of the deployed application via the API of the development platform, wherein the application files are files uploaded to the deployment platform by a developer of the deployed application at or before deployment thereof; and extracting the list of dependencies from the application files; and (3)] obtaining a package specification of the deployed application  (i.e., “Application Package 202”) and extrapolating the list of dependencies based on the package specification (i.e., dependencies generated by the “Dependency Analyzer 302” /“Parser 308” in “Dependency Data Store 314”) and based on a time of deployment of the deployed application (i.e., col.5, lines 4-11 – based on a current time/currently deployed application)  (see Fig.3, items 202, 302-381 and col.3:42-57, col.6:31- col.7:58); 
map each dependency of the list of dependencies (i.e., “Dependency Data Store”) with a flaws database (i.e., “Library Data Store(s)”/“Software Vulnerability DB”), the flaws database comprising an indication of known flaws for different dependencies and different versions thereof (see Fig.1-3, items 118 - “Library Data Store(s)”, item 208-“Software Vulnerability DB”, item 314 - Dependency Data Store”, item 316 – Status Module”,  and col.3:65-col.4:8, “a library data store can be a software vulnerability database storing information on whether, and to what degree, a particular version of a library is vulnerable to what kind of security breach”); 
based on said mapping, determine one or more flaws in the deployed application, wherein said determining the one or more flaws (i.e., “Listing 3: Example vulnerability Report”)  is performed externally to the deployment platform (i.e., “Report Engine 318” in “Report Server 102” and  “Cloud Deployment Platform 104” – externally to each other) and without executing a monitoring process thereon (i.e., Fig.1 and 3 – determining is performed in Report Server - without executing a monitoring process in Cloud Deployment Platform; and Fig.7, step 708 – Determining…vulnerabilities of each library”); 
[filter the one or more flaws using at least one criterion, whereby obtaining one or more reportable flaws;] and 
report the one or more reportable flaws to the developer of the deployed application (i.e., Fig.1, item 124 – “Report” and Fig.7 step 710 – “Providing a notification to a client device indicating that the application is vulnerable to one or more security breaches” and “Listing 3: Example vulnerability Report” in col.9 and Fig.4).
Dalessio does not explicitly disclose the limitation about “filtering the one or more flaws using at least one criterion, whereby obtaining one or more reportable flaws”.
However, Alam discloses the limitation about filtering the one or more flaws using at least one criterion, whereby obtaining one or more reportable flaws (i.e., Fig.4, steps 402-404, “Retrieve error events” and “Filter error events according to user defined criteria”). 
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to incorporate Alam’s flaws filtering and report feature. One would have been motivated to do so to “generate meaningful test report” (see paragraph [0034], “…generate meaningful test report. The processing of the error events may allow similar errors to be combined together, other issues to be identified, possible corrections identified, and other information reported”).



With respect to claim 9, Dalessio discloses:
 wherein the deployment platform is a Platform as a Service (PaaS) platform upon which the deployed application is deployed (i.e., “PaaS” – see col.1, lines 26-28, “The deployment platform is sometimes referred to as a cloud-based application deployment platform or platform as a service (PaaS)”).  

With respect to claims 10 and 19, Dalessio discloses:
wherein said processor is configured to monitor for updates in the flaws database to identify flaws relevant for the deployed application, and in response to identifying a new flow in the deployed application, and report the new flow(i.e., col.4, lines 15-19, “the library index database can store version information including a current version number of a library…the most recent release, a release date of the current version, a list of previous versions of the libraries and their respective release dates, release notes of each version, a list of differences between the current version and a previous version, a status of a previous version”- Notes: different version of release with current version and previous versions indicating monitoring/reporting feature).  

With respect to claims 11 and 17, Dalessio discloses:
wherein said processor is configured to perform said report the one or more reportable flaws without executing processes on the deployment platform, using an external processing apparatus in network communication with the deployment platform to mitigate a lack of processing resources available at the deployment platform (i.e., “Report Server”/ “Cloud Development Platform”– Fig.1:102/104 – using “Report Engine 318” in “Report Server 102” – Fig.3), using an external processing apparatus in network communication (i.e., “Report Server” in cloud network/system – Fig.1) with the deployment platform to mitigate a lack of processing resources available at the deployment platform (i.e., Fig.1 and 3; Also see col.7:66-col.8:2).  

With respect to claim 12, Dalessio discloses:
Wherein the package specification is a specification file comprising the list of dependencies, wherein for each dependency in the list of dependencies, the specification file provides a respective version indication, wherein for at least one dependency in the list of dependencies, a version indication in the specification file is one of the following: [a minimal version number;] a maximal version number (i.e., most recent version/current version number, see col.4, lines 12-19, “version information including a current version number of a library, e.g., a user interface library, that is the most recent release, a release date of the current version, a list of previous versions”. Notes” the maximal version number is considered as the current version number); [a version compatible with another identified version; an expression using wildcards representing the version number; and a range of versions].  

With respect to claim 13, Dalessio discloses:
wherein the known flaws comprise at least one of: security vulnerabilities (i.e., “security vulnerabilities” – see col.1:42, “determine what security vulnerabilities the libraries have, and provide notifications about the vulnerabilities to a user or developer); [ license flaws; internal policy violations; and external regulations violations.]
  
With respect to claim 14, Dalessio discloses:
wherein the flaws database (i.e., “software vulnerability database 208”) indicates different flaws of different version of a same dependency (see col.3:65- col.4:22 and col.5:45-49, “retrieves version data…can include past and current versions…” Notes: “software vulnerability database 208” – flaws database includes different vulnerabilities/flaws for different versions of a dependency).  

With respect to claim 15, Dalessio discloses:
wherein the list of dependencies is a set of code package dependencies (i.e., col.5, lines 10-13, “The information states can include library dependency lists for application package 202 and application package 204.  Application packages 202 and 204 can include code of the application program, including, for example, binary code, bytecode, script, source code…”).  

With respect to claim 20, Alam further discloses:
 Wherein the at least one criterion comprises a user-defined criterion, the method further comprising: determining, based on the user-defined criterion, whether a determined flaw is to be reported (i.e., Fig.4, steps 402-404, “Retrieve error events” and “Filter error events according to user defined criteria”); and reporting only a subset of the flaws that match the user-defined criterion (i.e., Fig.3, item 302 – Error Events, time 304 – Filtered Error Event” items 306a-d – Selected Report Rules” and item 308a-f – “Displayed Report Result”). 
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to further incorporate Alam’s flaws filtering and report feature. One would have been motivated to do so to “generate meaningful test report” (see paragraph [0034], “…generate meaningful test report. The processing of the error events may allow similar errors to be combined together, other issues to be identified, possible corrections identified, and other information reported”).  

Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Dalessio and Alam as applied to claims 7 and 16 above, and further in view of Horwood (Keith Horwood, US2018/0034924A1)
With respect to claims 8 and 18, Dalessio discloses:
wherein the deployment platform is a cloud based platform is a FaaS [a Function as a Service (FaaS) platform] upon which the deployed application is deployed (i.e., “PaaS” platform – see col.1, lines 26-28)
Dalessio modified by Alam does not explicitly disclose the cloud based deployment platform including FaaS platform.
However, Horwood further discloses the deployment platform including FaaS platform (i.e., Fig.1, item 100 “FaaS Platform” and paragraph [0011], “The system and method enable sets of functionality to be developed and deployed as a webservice to a FaaS platform”) 
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to incorporate Horwood into Dalessio and Plate to deploy the application on the deployment platform including the FaaS and/or PaaS. One would have been motivated to do so to “increase speed of development and my enable easier experimentation” as suggested by Horwood (i.e., paragraph [0016], “the FaaS platform can act as the standardized library or tool for programmatically interfacing with network enabled-webservices.  This may increase speed of development and may enable easier experimentation with new webservices”).



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Qureshi et al., (US9,916,233B1) discloses a method of deployment agent to query deployment engine about the software package contents (e.g., software libraries and other dependencies) and current versions of software libraries or other dependencies on the device.
Barfield et al., (US2006/0031827A1) discloses a method to check deployment descriptor of the update to find any dependencies for the update to obtain a required version of the dependency.
Applicant’s arguments with respect to claims rejection have been fully considered but they are not persuasive.  Applicant's amendment necessitated additional clarification and/or the new ground(s) of rejection presented in this Office action.   
Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHENG WEI whose telephone number is (571)270-1059 and Fax number is (571) 270-2059.  The examiner can normally be reached on M-F 9:00AM-5:00PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hyung S. Sough can be reached on 571-272-6799.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Any inquiry of a general nature of relating to the status of this application or proceeding should be directed to the TC 2100 Group receptionist whose telephone number is 571- 272-1000.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



	
/Z.W/Examiner, Art Unit 2192                                                                                                                                                                                                        
/s. sough/spe, art unit 2192/2194