Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This office action is in response to communication filed 8/8/2022. Claims 1-17 and 19-20 are currently pending and claim 18 is cancelled. Claims 1, 17, and 19 are the independent claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-11, 14-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Falko (US PG Pub. 2020/0073781 A1) and Francis et al. (herein called Francis) (US PG Pub. 2017/0262361 A1) in further view of Kakkad et al. (herein called Kakkad) (US PG Pub. 2018/0275989 A1).

As per claim 1, Falko teaches a system comprising: a non-transitory memory; and one or more hardware processors coupled to the non-transitory memory to execute instructions from the non-transitory memory to perform operations comprising: 
providing a repository to a development stage of a development pipeline (fig. 3 items 302 and 304, pars. [0017], [0040], [0042], computing system includes continuous integration continuous deployment (CI/CD) system which performs code builds (development pipeline develops code builds) and version control system which stores versions of code builds (version control system is repository of code build versions) built (developed) by CI/CD system (repository/version control system is provided to development stage of development pipeline).); 
building an image associated with the repository (pars. [0042], CI/CD system performs new code build (build image of new code) and version control system stores versions of code built by CI/CD system (image/code build is associated with/stored in repository/version control system).); 
identifying a list of dependencies and versions of the dependencies used in the building of the image (abstract, pars. [0013], [0018], [0025], [0038], [0042], [0044], [0047], CI/CD system builds code using new code/changed code/software components/etc. and dependency map/fault tree analysis map is generated is generated that includes dependencies/logical relationships between identified/particular/etc. components (list of dependencies and versions of the dependencies used in building the code/image), observed failure rate of identified/particular components and predicted failure rates of changed/particular/identified/etc. components. As the dependency map/fault tree analysis shows the dependencies between software components of the build/image it identifies a list of dependencies used in the build, and as the dependency map/fault tree includes failure rates for particular/identified/changed components the dependency map it identifies versions of dependencies/versions of components/changed components/etc. having dependencies used in the building of the image/code.); 
analyzing a remaining portion of the image for the security vulnerability based on the identified list of dependencies and the versions of the dependencies used in the building of the image (pars. [0018]-[0020], [0024], [0038], dependency map is generated for plurality of components of built code/image that identifies dependencies/logical relationships between components/upstream and downstream components of a first component/etc. and failure rates (the security vulnerability) of components are determined (identified) based on upstream and downstream component operation/dependency between components/etc. (analyze image/code for failure/the security vulnerability based in identified list of dependencies and versions of dependencies used in building of the image/dependency maps of components of built code), and fault tree analysis map is generated that includes the dependency map and observed/determined failure rates of components., and as Francis teaches skipping analyzing portions of the image for vulnerability/failure/etc. that have previously been verified as free of vulnerability/failures/etc., as seen below, it is obvious that a remaining portion of the image that has not been verified as free of vulnerabilities is analyzed for vulnerabilities based on the identified dependencies and versions of dependencies used in building of the image.); and 
providing a report based on the analyzing (pars. [0020], [0022], [0039], [0044], fault tree analysis/ranking of components based on failure probability/etc. (report) is generated and displayed (provided) that includes generated dependency map and determined/observed/predicted failure rates of software components of code (report is based on the analyzing).).
While Falko teaches identifying a list of dependencies and versions of the dependencies used in the building of the image and analyzing the image for vulnerabilities based on the identified list of dependencies, it does not explicitly state, however Francis teaches: 
determining whether one or more portions of the image utilizes dependencies verified as free of a security vulnerability in a prior version of the image (pars. [0004], [0018], [0020]-[0021], [0023], [0025]-[0029], [0036]-[0037], [0046]-[0047], codebase (image) comprises files and lines (portions of the image), multiple versions of codebase/image is stored using version control (prior version of image), changes between versions/codebases/etc. is represented as changelist, portions of codebase/files/lines/etc. (portions of image) is tested using test cases to determine errors/failures/deviation from desired performance/etc. (security vulnerability), test cases/tests/etc. are mapped/determined to correspond to/etc. portions of the image/files/lines/etc. and are assigned a priority based on failure rates of the test cases during previous execution of the tests on their corresponding/portions/lines/files, portions of the image that are not covered by test cases/have not been tested, test cases impacted by changes to portions/lines/files, etc., such that tests with a high failure rate/portions that have failed tests/portions that have not been tested/tests impacted by changes to code/etc. are executed and tests having a low failure rate/correspond to portions that have previously passed tests/etc. are not executed during testing. As a determination to execute testing on portions of codebase/image is made based on a failure rate of the portion/line/file during previous testing such that portions/lines/files that fail previous tests are tested/analyzed and portions that do not fail previous tests/pass previous test are not tested, and as Falko teaches that testing includes testing/analyzing/etc. dependencies of the image/codebase/etc., it is obvious that determining portions of the image that have low failure/previously pass/is not impacted by changes/etc. is determining portions of the image that utilizes dependencies verified as free of security vulnerabilities in a prior version of the image/have previously passed tests/have low failure rate/free of vulnerabilities/etc.);
responsive to identifying at least one portion of the image that utilizes a dependency verified as being free of the security vulnerability, skipping an analysis of the at least one portion of the image and analyzing a remaining portion of the image for the security vulnerability (pars. [0028], [0036]-[0037], [0046]-[0047], [0056], [0059], [0061], test cases correspond to portions/lines/files of codebase/portions of image and are assigned priority based on failure rate such that portions/lines/files that have high failure rates/have security vulnerability are tested/analyzed/etc., and portions/lines/files that have low failure rates/are not on the priority list/have previously passed the tests (identify portion of image free of failures/the security vulnerability) are not tested/analyzed/test cases are skipped over if corresponding portion/line/file has low priority/failure/previously passed/etc. (skip an analysis/test of the portion/line/file of the image/codebase and analyze remaining portion of the image/codebase). And as Falko teaches that testing/analysis includes testing/analyzing dependencies for failure/security vulnerabilities/etc., it is obvious that identifying tests/analysis to skip that correspond to portions having low failure/previously passed tests/etc. while executing test cases/analysis on portions having high failure rate/have not been verified as being free of the vulnerability, is skipping an analysis of the at least one portion of the image and analyzing a remaining portion of the image for the security vulnerability in response identifying at least one portion of the image that utilizes a dependency verified as being free of the security vulnerability.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to add determining whether one or more portions of the image utilizes dependencies verified as free of a security vulnerability in a prior version of the image; responsive to identifying at least one portion of the image that utilizes a dependency verified as being free of the security vulnerability, skipping an analysis of the at least one portion of the image and analyzing a remaining portion of the image for the security vulnerability, as conceptually taught by Francis, into that of Falko because these modifications allow for an effective and efficient method of testing/analyzing code/image/etc. to verify that the code/image operates as desired/is free of failures/vulnerabilities/etc. in a way that saves time/resources/etc. that would be spent testing portions of the code/image that are already known not to have vulnerabilities/failures/etc., which is desirable as it makes testing more efficient and saves time and resources during testing.
While Falko and Francis teach testing/analyzing/etc. code/application/program/etc. to determine errors/failures/deviation from desired performance/security vulnerability, they do not explicitly state that the error/failure/deviation from desired performance/security vulnerability corresponds to an aspect of the image which may be exploited, and as such do not explicitly state, however Kakkad teaches:
wherein the security vulnerability corresponds to an aspect of the image which may be exploited (pars. [0017], code analysis certifies compliant portions of code and identifies non-compliant portions of code/portions of code associated with security vulnerability/etc. (security vulnerability) corresponding to malicious exploits (security vulnerability corresponds to aspect of code/image which may be exploited/corresponds to malicious exploits). As Falko and Francis teach testing/analyzing/etc. code/image to determine errors/failures/deviations from desired performance/security vulnerability and Kakkad teaches determining portions of code/image associated with security vulnerability corresponding to malicious exploits, it is obvious that the determined/identified/etc. portion of code/image associated with security vulnerability corresponding to malicious exploits may be an deviation from desired performance/error/failure/security vulnerability of the code/image which may be exploited.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to add wherein the security vulnerability corresponds to an aspect of the image which may be exploited, as conceptually taught by Kakkad, into that of Falko and Francis because these modifications allow for the testing/analyzing/etc. of the code/image to determine aspects of the code/security vulnerability/etc. that may allow the code to be exploited/expose the code to malicious exploits/allow the code to be accessed by non-authorized entities/etc., which is desirable as it helps ensure that entities accessing the code are authorized/permitted/etc. to access the code/image, thereby helping to ensure the security of the code/image and data/information used by the code/image making it more desirable to users. 

As per claim 2, Falko further teaches: wherein the building includes building a first version of an image associated with the repository (pars. [0042], CI/CD performs new code build (build version of image) using code change/change to one or more software components provided by developer/etc. and manages new code build and testing of new code build, and version control/repository stores one or more versions of code built by CI/CD system. As the CI/CD system performs new code builds/builds versions of an image using code changes and the version control system stores one or more versions of code builds of the CI/CD system, the CI/CD system builds multiple versions of the image/builds multiple versions of the code corresponding to multiple changes provided by developer, including a first version of the code/image, which are stored in/associated with the version control system/repository.).

As per claim 3, Falko further teaches: wherein the identifying includes identifying a list of dependencies and versions of the dependencies used in the building of the first version of the image (abstract, pars. [0013], [0018], [0025], [0038], [0042], [0044], [0047], CI/CD system builds code using new code/changed code/software components/etc. and version control stores versions of code in storage (multiple versions of image/code including first version of the image is built) and dependency map/fault tree analysis map is generated is generated that includes dependencies/logical relationships between identified/particular/etc. components (list of dependencies and versions of the dependencies used in building the code/image of first version of image), observed failure rate of identified/particular components and predicted failure rates of changed/particular/identified/etc. components. As the dependency map/fault tree analysis shows the dependencies between software components of the build/image/first version of the image of multiple versions stored in version control/repository, it identifies a list of dependencies used in the build, and as the dependency map/fault tree includes failure rates for particular/identified/changed components the dependency map it identifies versions of dependencies/versions of components/changed components/etc. having dependencies used in the building of the first version of the image/code.).

As per claim 4, Falko further teaches: promoting the first version of the image to a production stage of the development pipeline (pars. [0043], [0053], deployment system deploys (promotes) code that has been tested/new code builds/etc. (first version of the image) to production environment of CICD system (production stage of development pipeline).).

As per claim 5, Falko further teaches: building a second version of the image, wherein one or more dependencies used in the building of the second version of the image differs from the dependencies used in the building of the first version of the image (pars. [0042], CI/CD performs new code build (build version of image/second version of image) using code change/change to one or more software components (changes/differences between dependencies in the code/image) provided by developer/etc. and manages new code build and testing of new code build, and version control/repository stores one or more versions of code built by CI/CD system (store first/second/third/etc. version of code/image built by CI/CD system). As the CI/CD system performs new code builds/builds versions of an image using code changes/changes to components/dependencies and the version control system stores one or more versions of code builds of the CI/CD system, the CI/CD system builds multiple versions of the image/builds multiple versions of the code/etc. that have changes/differences/etc. to components/dependencies between the versions caused by the changes provided by developer, including a second version of the code/second version of the image that is built using code changes to components from a previously built version/first version stored in version control repository/having differences in dependencies used in building a previous version/first version stored in version control/repository/etc. that are provided by developer.).

As per claim 6, Falko further teaches: wherein the analyzing includes analyzing the second version of the image for the security vulnerability based on the list of dependencies and the versions of the dependencies used in the building of the first version of the image (pars. [0018]-[0020], [0024], [0038], dependency map is generated for plurality of components of built code/image (including second version/version built using code changes over previously built version/first version stored in version control/repository) that identifies dependencies/logical relationships between components/upstream and downstream components of a first component/etc. and failure rates (security vulnerability) of components and changed components are determined based on upstream and downstream component operation/dependency between components/etc. (analyze second image/code/code with changed components for failures/the security vulnerability based on list of dependencies and versions of dependencies used in building of the first image/dependency maps of components of built code), and fault tree analysis map is generated that includes the dependency map and observed/determined failure rates of components.).

As per claim 7, Falko further teaches: wherein the development pipeline is a continuous integration/continuous development (CI/CD) pipeline (pars. [0017], [0042], system is continuous integration continuous deployment (CI/CD) system which performs new code builds, manages new code builds and testing of new code builds, provides version control, deploys code, etc. (continuous integration/continuous development pipeline).).

As per claim 8, Falko further teaches: wherein the list of dependencies and version of dependencies used in the building of the image is not obtained from a manifest lock file (abstract, pars. [0013], [0018], [0025], [0038], [0042], [0044], [0047], CI/CD system builds code using new code/changed code/software components/etc. and dependency map/fault tree analysis map is generated is generated that includes dependencies/logical relationships between identified/particular/etc. components (list of dependencies and versions of the dependencies used in building the code/image), and dependency map may be generated from trace data from tracing operation. As the dependency map/list of dependencies and version of dependencies used in building of the image/code may be obtained from trace data, it is not obtained from a manifest lock file.).

As per claim 9, Falko further teaches: wherein the building of the second version of the image is triggered by the development pipeline (pars. [0042], CI/CD system (development pipeline) performs new code build (development pipeline/CICD system triggers building of version of image/second version of image) using code change/change to one or more software components (changes/differences between dependencies in the code/image) provided by developer/etc. and manages new code build and testing of new code build, and version control/repository stores one or more versions of code built by CI/CD system (store first/second/third/etc. version of code/image built by CI/CD system). As the CI/CD system/development pipeline performs/triggers new code builds/builds of versions of an image using code changes/changes to components/dependencies and the version control system stores one or more versions of code builds of the CI/CD system, the CI/CD system builds/development pipeline triggers builds of multiple versions of the image/builds multiple versions of the code/etc., including triggering build of a second version of the code/second version of the image that is built using code changes to components from a previously built version/first version stored in version control repository.).

As per claim 10, Falko further teaches: wherein the trigger includes detecting a change in the list of dependencies and the versions of the dependencies used in the building of the first version of the image (pars. [0042], CI/CD system/development performs new code build/triggers build of second version of code using code change/change to one or more software components/etc. provided by a developer (detect a change in list of dependencies and versions of dependencies/detect change in software components used in building first version of the image/code).

As per claim 11, Falko further teaches: wherein control is exerted over a number of privileges to promote the first version of the image to the production stage (pars. [0043], [0053], deployment system deploys (promotes) code that has been tested/new code builds/etc. (first version of the image) to production environment/database system/etc. of CICD system (production stage of development pipeline), and production environments/database system hosts multiple instances storing dependency maps, software components, code changes, new builds, rollbacks, etc., where each instance is only accessible to users associated with particular tenant (control number of privileges/accessibility of instances/etc. such that each instance on production environment is only accessible to users associated with particular tenant).).

As per claim 14, Falko further teaches: wherein the analyzing includes comparing data associated with one or more dependencies in the list of dependencies against data associated with corresponding dependencies in a data structure that includes vulnerability data (pars. [0013], [0020], [0024], dependency map/fault analysis tree is generated that shows dependencies/interactions/etc. between components along with the failure rates/vulnerabilities for each component, and components are ranked based on their failure rates/vulnerabilities (compare failure rate/vulnerabilities of components (data associated with one or more dependencies in the list of dependencies/dependency map) against failure rates/vulnerabilities of other components in the dependency graph/fault analysis tree of the code (data associated with corresponding dependencies in data structure/dependency map/fault analysis tree that includes vulnerability data/failure rates of components) to determine rankings of components based on their failure rates/vulnerabilities.).).

As per claim 15, Falko further teaches: wherein the second version of the image differs from the first version of the image in ways other than the dependencies used to build the second version of the image and the first version of the image (pars. [0016], changes to software components are made (second version of image/code differs from first version of image/code in dependencies) and determination is made as to whether changes/changed components/changes in dependencies/etc. improve reliability, operability, functionality, performance, etc. of computing system, have different failure rate than component that is changed, components have become redundant, etc. (second version of image/code differs in ways other than the dependencies/components/etc. used to build second and first version of image).).

As per claim 16, Falko further teaches: building a third version of the image when the report is positive, wherein the third version of the image uses the code in a second version of the image and at least the dependencies used to build the first version of the image (pars. [0016]-[0021], dependency map/fault analysis tree is generated for code/image that shows dependency/logical relationships between components (dependencies used to build first version of image/code) and observed failure rates/vulnerabilities, and when failure rate exceeds a threshold (report is positive/vulnerabilities are present/failures occur/etc.) system may change/receive a change to components (build third version of image/code using code in second version of image/changes to components/etc.) and predict failure rate of changed components of code/image based on upstream components and downstream components of the changed component/dependencies used to build first version of image/code. As the predicted failure rate of the changed components/code in the second version is determined using the upstream and downstream components/dependencies present/determined in the generated dependency map of the first version, a third version is built that uses the changed components/code in second version and the dependencies used to build the first version/replaces components in first version with changed components/code in second version of components while maintaining component dependencies from first version.).

As per claims 17 and 19, they recite and a method and a non-transitory machine-readable medium, respectively, having similar limitations to the system of claim 1 and are therefore rejected for the same reasoning as claim 1, above.

As per claim 20, Falko further teaches wherein the list of dependencies and versions of the dependencies are identified from a build command and not from a manifest lock file (pars. [0042], CI/CD system performs new code build (build command to build version of code) using code change/change to one or more software components provided by developer/etc. (pipeline/CICD system identifies list of dependencies and versions of dependencies from build command/performing build using new/changed/etc. components provided by developer/list of dependencies and versions of the dependencies are identified by pipelineCI/CD system/etc. from a build command). As the CI/CD system/pipeline performs build of version using versions of components/dependencies provided by developer, the pipeline/CI/CD system identifies the list of dependencies and versions of the dependencies from a build command to perform the build using components provided by developer, and not from a manifest lock file.).

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Falko (US PG Pub. 2020/0073781 A1), Francis et al. (herein called Francis) (US PG Pub. 2017/0262361 A1), and Kakkad et al. (herein called Kakkad) (US PG Pub. 2018/0275989 A1), in further view of Anderson et al. (herein called Anderson) (US Patent 8,677,315 B1).

As per claim 12, Falko does not explicitly state, however Anderson teaches: wherein a fewer number of the privileges to promote the image to the production stage exist than a number of privileges to commit the image to a build stage of the development pipeline (col. 3 lines 24-35, col. 5 lines 30-65, col. 6 lines 1-16, col. 10 lines 45-col. 11 line 65, developers/multiple developers develop/modify/etc. code and submit/check in/commit/etc. code to continuous deployment system which automatically builds code and performs testing on built code (multiple developers have permission/privilege to commit image/code to build stage of development pipeline/submit code to continuous deployment system to be built/etc.), and approval from a manager/administrator/project leader/etc. may be required to promote to next stage/promote to production/deployment environments/etc. (as a manager/administrator/etc. may be required to approve promotion to production/deployment/etc. stage of continuous deployment system while all developers may submit code to system to be built and test, it is obvious that fewer users (manager/administrator/etc. vs multiple/plural/etc. developers) have a privilege/authority/etc. to promote the image/code to the production stage than have privilege/authority to commit the code/image to a build stage of the development pipeline/system.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to add wherein a fewer number of the privileges to promote the image to the production stage exist than a number of privileges to commit the image to a build stage of the development pipeline, as conceptually taught by Anderson, into that of Falko, Francis, and Kakkad because these modifications allow for a manager/administrator/project leader/etc. to approve the version of the code/image that is being produced/deployed/promoted to the next stage/etc., which is desirable as it helps prevent multiple versions of the code/image of a software project from being promoted to production/deployment/etc. by the multiple developers working on a software project, thereby helping to prevent confusion as to which version is a desired version to be made available to potential users and helps to ensure that a single desired version of the software/code is approved and all members of the project are aware of the direction the software project is headed by giving managers/administrators/project leaders say on which version is chosen for promotion to the next stage/promoted to production/etc.

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Falko (US PG Pub. 2020/0073781 A1), Francis et al. (herein called Francis) (US PG Pub. 2017/0262361 A1), and Kakkad et al. (herein called Kakkad) (US PG Pub. 2018/0275989 A1) in further view of Haeuptle et al. (herein called Haeuptle) (US PG Pub. 2016/0147642 A1).

As per claim 13, while Falko teaches that code components have dependencies, and performing testing on code, Falko does not explicitly state, however Haeuptle teaches: wherein the dependencies include direct and transitive dependencies (pars. [0027]-[0030], [0044], portions of code/code artifacts/components/etc. are tested and portions/artifacts/etc. have direct and indirect/transitive dependencies on other code portions/artifacts/etc. which are found and tested.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to add wherein the dependencies include direct and transitive dependencies, as conceptually taught by Haeuptle, into that of Falko because these modifications allow for testing to be performed on code portions/components/artifacts/etc. that have dependencies/relationships/etc. with each other, which is desirable as it helps ensure that when code components/portions/etc. is tested/analyzed/etc. dependencies/relationships with other code components/portions/etc. are accounted for thereby helping to ensure that testing/analysis fully evaluates code components/portions/etc. and provides an accurate assessment as to whether code performs correctly/as desired/has failures/vulnerabilities/etc..

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-17 and 19-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
As per the arguments on pg. 6 par. 3-pg. 8 par. 2 of the remarks that Falko (US PG Pub. 2020/0073781 A1) and Francis et al. (herein called Francis) (US PG Pub. 2017/0262361 A1) do not teach all limitations of the amended independent claims and none of the other references cited correct the deficiencies of Falko and Francis, and therefore the amended independent claims and their respective dependent claims are allowable, the the examiner would like to point out that the new references Kakkad et al. (herein called Kakkad) (US PG Pub. 2018/0275989 A1) is currently relied upon to correct the deficiencies of Falko and Francis and therefore the arguments are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Therefore the examiner finds these arguments unpersuasive and maintains that the rejection under 35 USC 103 is proper. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DOUGLAS M SLACHTA whose telephone number is (571)270-0653. The examiner can normally be reached Monday-Friday 6:30am-4pm.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do can be reached on 571-272-3721. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.








Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DOUGLAS M SLACHTA/Examiner, Art Unit 2193