DETAILED ACTION
This office action is in response to communication filed 4/15/2020.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/18/2020 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiners.
The information disclosure statement (IDS) submitted on 11/15/2021 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiners.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-10 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by DORRANS et al (US 20200074084A1).
Regarding claim 1, DORRANS et al teach a computer-implemented method for enforcing rules governing software in an enterprise, 4comprising, on a governance asset, executing a governance engine configured to: sreceive at least one rule specifying at least one trigger and at least one output (see Paragraph [0090], where the vulnerability detection and notification provider is configured to obtain a vulnerable components list which include a list of vulnerable component descriptions. See Paragraph [0009], where the trigger can be checking for vulnerability);  6receive a set of detected changes in dependencies in an enterprise from a delta agent based on an 7examination of subsequent dependency graphs (see Paragraph[296] and FIG. 6 where applying updates in dependencies);  8examine the set of detected changes for changes that implicate a trigger of a rule (see Paragraph [296], where checking dependencies for vulnerability detection after applying updates in dependencies); and  9if a trigger is implicated by a change, execute the one or more outputs associated with the ioimplicated trigger (see Paragraph [0029], where notification after detecting vulnerability y detected can be output).
Regarding claim 2, DORRANS et al teach the method of enforcing rules governing software in an enterprise as claim 1, wherein the governance engine is further configured to:  12receive a set of potential vulnerabilities;  13compare any new dependencies contained in the set of detected changes for nodes identified in 14the set of potential vulnerabilities (see Paragraph [0024], where checking for dependencies which have security vulnerabilities with the runtime itself); and  isgenerate an output identifying any positive results of such comparison (see Paragraph [0029], where detecting vulnerable components and providing access to superseding version whose functionality is corrected or enhanced).
Regarding claim 3, DORRANS et al teach the method of enforcing rules governing software in an enterprise as claim 1, wherein the governance engine is further configured to:  17receive a set of restricted open source software nodes (see Paragraph [0304], where A link to the vulnerability details from open source such as GitHub issue);  18compare any new dependencies contained in the set of detected changes for nodes identified in 19the set of restricted open source software nodes (see Paragraph [0024], where checking for dependencies which have security vulnerabilities with the runtime itself); and  20generate an output identifying any positive results of such comparison (see Paragraph [0029], where detecting vulnerable components and providing access to superseding version whose functionality is corrected or enhanced).
Regarding claim 4, DORRANS et al teach the method of enforcing rules governing software in an enterprise as claim 1, wherein at least one rule includes more than one output and both 22outputs are executed if a trigger of that rule is implicated (see Paragraph [0029], where notification provider with detection vulnerability can be outputs).
Regarding claim 5, DORRANS et al teach the method of enforcing rules governing software in an enterprise as claim 1, wherein at least one rule specifies more than one trigger and an output 24of that at least one rule is executed if at least one of said triggers is executed (see Paragraph [0029], notification provider with detection vulnerability can be outputs).
Regarding claim 6, DORRANS et al teach the method of enforcing rules governing software in an enterprise as claim 1, wherein at least one rule specifies more than one trigger and an output 26 of that at least one rule is executed only if all of said triggers is executed (see Paragraph [0029], notification provider with detection vulnerability can be outputs).
Regarding claim 7, DORRANS et al teach the method of enforcing rules governing software in an enterprise as claim 1, wherein a trigger of at least one rule identifies a node in a hierarchy 2with at least one node that is a child of said node, said trigger being configured such that the 3trigger is implicated if a change is detected in said node or any child of said node (see Paragraph [0025] and [0296], where dependency graph implemented as a dependency tree which considered as hierarchy node).
Regarding claim 8, DORRANS et al teach the method of enforcing rules governing software in an enterprise as claim 1, wherein the governance engine is further configured to receive a set of sat least one rule from a source outside the enterprise (see Paragraph [0304], where a link to the vulnerability details from outside source such as GitHub issue).
Regarding claim 9, DORRANS et al teach the method of enforcing rules governing software in an enterprise as claim 1, wherein a trigger of a rule specifies a type of change necessary for an 7associated output to be executed (see Paragraph [0004] and Paragraph [0090], where notification wit detecting vulnerability detected can be outputs and the vulnerability detection and notification provider is configured to obtain vulnerable components list which includes a list of vulnerable component descriptions).
Regarding claim 10, DORRANS et al teach a computer-implemented method for enforcing rules governing software in an enterprise, 9comprising, ioexecuting a delta agent configured to:  11receive dependency graphs from a synthesis agent, 12compare subsequent dependency graphs to identify any dependency changes in the 13enterprise, and  14output a set of detected changes to a governance engine (see Paragraph [0029] and [0296], where checking dependencies for vulnerability detection after applying updates in dependencies); and  isexecuting a governance engine configured to: 16receive at least one rule specifying at least one trigger and at least one output, 17receive a set of detected changes in dependencies in an enterprise from a delta agent 18based on an examination of subsequent dependency graphs (see Paragraph [0090], where the vulnerability detection and notification provider is configured to obtain a vulnerable components list which include a list of vulnerable component descriptions. See Paragraph [0009], where the trigger can be checking for vulnerability), 19examine the set of detected changes for changes that implicate a trigger of a rule (see Paragraph [296] and FIG. 6 where applying updates in dependencies), and  20if a trigger is implicated by a change, execute the one or more outputs associated with the 21 implicated trigger (see Paragraph [0029], where notification after detecting vulnerability y detected can be output).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Wang et al (US 10333820 B1) disclose systems and method are described for identifying, tracking, and customizing dependencies between components of a computing environments.
De Jong et al (US 20210240462) disclose system that endanger associated LoT infrastructure and/or those dependent upon their use.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID HYUNGYU KIM whose telephone number is (571)272-0460. The examiner can normally be reached Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on (571)-273-8300. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/DAVID HYUNGYU KIM/Examiner, Art Unit 2499                                                                                                                                                                                                        /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499