Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/06/2020 is in compliance with the
provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the
examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 3-9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tsai et al (US 20200349259 A1) in view of Sundararam (US 20130007701 A1).
Regarding claim 1, Tsai et al teach a system for tokenizing software code security vulnerabilities and remediating matching vulnerabilities in application code, the system comprising: one or more processors; memory in communication with the one or more processors and storing instructions that, when executed by the one or more processors, cause the system to: receive initial vulnerability listings responsive to submissions of one or more initial code packages to one or more software security analysis tools (see Paragraph [0070], where find vulnerability from source code using SAST); 
receive subsequent vulnerability listings responsive to actual or potential remediations of the one or more initial code packages by the one or more software security analysis tools (see Paragraph [0075], where address any potential hard-code security vulnerability and code change recommendation after SAST finding (security analysis tools)); 
generate differential listings comprising vulnerability remediation updates to the one or more initial code packages by the one or more software security analysis tools (see Paragraph [0075], where identify code under examination and SAST finding visualization, a proposed code change recommendation so that the develop can take further action to address any potential security vulnerability that may arise); 
generate one or more generalized remediation tokens for each of the vulnerability remediation updates identified in the differential listings (see Paragraph [0073], where tokens and relation are then processed by a rule engine providing a different analytical focus);
receive an application code package (see Paragraph [0072], where receive the source code);
Tsai et al do not teach locate one or more fields of the application code package that include a vulnerability defined by one or more of the generalized remediation tokens and automatedly remediate, using the one or more fields, the vulnerability in the application code package.
However, in analogous art, Sundararam teach same field of code remediation. Sundararam teach locate one or more fields of the application code package that include a vulnerability defined by one or more of the generalized remediation tokens (see Paragraph [0076], where impact point represents as an indication of code location and further details (e.g. associated token that matched a token search pattern)); and automatedly remediate, using the one or more fields, the vulnerability in the application code package (see Paragraph [00096] and FIG. 7, where code remediation with tokens).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Tsai et al to incorporate the teaching of Sundararam
using code remediation with tokens.
Motivation as recognized by one of ordinary skill in the art, to do so would user interface for selecting impact points for remediation by receiving remediated tokens (see Paragraph [0169-0171]).
Regarding claim 3, modified Tsai et al in view of Sundararam teach the system for tokenizing software code security vulnerabilities and remediation matching vulnerability in application as claim 1.
Tsai et al do not teach wherein each of the vulnerability remediation updates identify one or more of: an associated library, a library method, a line, an initial value, and a subsequent changed value.
However, in analogous art, Sundararam teach same field of code remediation. Sundararam teach wherein each of the vulnerability remediation updates identify one or more of: an associated library, a library method, a line, an initial value, and a subsequent changed value (see Paragraph [0055], here generation include outputting lines of remediated source code in an appropriate).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Tsai et al to incorporate the teaching of Sundararam
using library, a library method, a line, an initial value, and a subsequent changed value.
Motivation as recognized by one of ordinary skill in the art, to do so would location information include line number, source code type and a source code can be showed (see Paragraph [0171]).
Regarding claim 4, modified Tsai et al in view of Sundararam teach the system for tokenizing software code security vulnerabilities and remediation matching vulnerability in application as claim 1.
Tsai et al do not teach wherein at least one of the fields of the application code package are remediated by replacement using the subsequent changed value of at least one of the vulnerability remediation updates associated with a corresponding generalized remediation token.
However, in analogous art, Sundararam teach same field of code remediation. Sundararam teach wherein at least one of the fields of the application code package are remediated by replacement using the subsequent changed value of at least one of the vulnerability remediation updates associated with a corresponding generalized remediation token (see Paragraph [0096] and FIG. 7, code remediation based on token and tokens include location information, line number, column and transaction set information).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Tsai et al to incorporate the teaching of Sundararam
using code remediation with tokens.
Motivation as recognized by one of ordinary skill in the art, to do so would user interface for selecting impact points for remediation by receiving remediated tokens (see Paragraph [0169-0171]).
Regarding claim 5, modified Tsai et al in view of Sundararam teach the system for tokenizing software code security vulnerabilities and remediation matching vulnerability in application as claim 1, Tsai et al teach wherein the instructions further cause the one or more processors to apply a weight each field of the differential listings according to one or more of: a type of a vulnerability threat; and a severity of the vulnerability threat (see Paragraph [0074], where a scoring example is provided below, by applying different scores to each rule (or rule type) in the rule sets, the analyzer can enforce any type of weighting scheme. Moreover, the respective result sets from the separate engines may be consolidated as an intersection).
Regarding claim 6, modified Tsai et al in view of Sundararam teach the system for tokenizing software code security vulnerabilities and remediation matching vulnerability in application as claim 1, Tsai et el teach wherein the instructions further cause the one or more processors to: determine similarities among the generalized remediation tokens; pool similar generalized remediation tokens; and store the pooled similar generalized remediation tokens in a repository (see Paragraph [0073], where tokens are relation are then processed by a rule engine providing a different analytical focus).
Regarding claim 7, modified Tsai et al in view of Sundararam teach the system for tokenizing software code security vulnerabilities and remediation matching vulnerability in application as claim 6.
Tsai et al do not teach wherein the generalized remediation tokens are pooled according to remediated and unchanged action associated with the vulnerability remediation updates.
However, in analogous art, Sundararam teach same field of code remediation. Sundararam teach the generalized remediation tokens are pooled according to remediated and unchanged action associated with the vulnerability remediation updates (see Paragraph [0096] and FIG. 7, where code remediation based on token).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Tsai et al to incorporate the teaching of Sundararam
using code remediation with tokens.
Motivation as recognized by one of ordinary skill in the art, to do so would user interface for selecting impact points for remediation by receiving remediated tokens (see Paragraph [0169-0171]).
Regarding claim 8, modified Tsai et al in view of Sundararam teach the system for tokenizing software code security vulnerabilities and remediation matching vulnerability in application as claim 1, Tsai et al teach wherein the one or more software security analysis tools belong to at least one of: Static Application Security Testing (SAST); Open Source Analysis (OSA); Dynamic Application Security Testing (DAST); and Interactive Application Security Testing (IAST) (see Paragraph [0070], where security analysis tools belong to SAST software).
Regarding claim 9, modified Tsai et al in view of Sundararam teach the system for tokenizing software code security vulnerabilities and remediation matching vulnerability in application as claim 1, Tsai et al teach wherein the instructions further cause the one or more processors to determine and output an overall risk score for the application code by computing a weighted average of each field of the application code associated with the one or more generalized remediation tokens according to one or more of a vulnerability threat type and a vulnerability threat severity (see Paragraph [0074], where a scoring example is provided below. By applying different scores to each rule (or rule type) in the rule sets, the analyzer can enforce any type of weighting scheme. Moreover, the respective result sets from the separate engines may be consolidated as an intersection).
Claim(s) 2, 10-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tsai et al in view of Sundararam and further view of Maduo et al (US 20170187743 A1).
Regarding claim 2, modified Tsai et al in view of Sundararam teach the system for tokenizing software code security vulnerabilities and remediation matching vulnerability in application as claim 1. 
Tsai et al and Sundararam do not teach wherein the instructions further cause the one or more processors to output for review by a user, a menu of one or more options for remediation of the of the one or more fields of the application code package, and remediate the one or more fields of the application code package automatically according to a selected option.
However, Madou et al teach same field of vulnerability of code based on security analysis. Madou et al teach wherein the instructions further cause the one or more processors to output for review by a user, a menu of one or more options for remediation of the of the one or more fields of the application code package, and remediate the one or more fields of the application code package automatically according to a selected option (see Paragraph [0027], where interface engine present vulnerability solution recommendation and to receive selection input for the one vulnerability solution recommendation).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Tsai et al to incorporate the teaching of Sundararam and further view of Madou et al using interface engine for selecting input for vulnerability solution recommendation.
Motivation as recognized by one of ordinary skill in the art, to do so would information associated with the possible vulnerability from statically analyzing code of the application can be detected see Paragraph [0029]. 
Regarding claim 10, Tsai et al teach A method for automated remediation of application code using tokenized software code security vulnerabilities, the method comprising: receiving an application code package (see Paragraph [0072], where receiving the source code);
	Tsai et al do not teach identifying one or more fields of the application code package that correspond to a 23 of 2742396895Attorney Docket No. COF0146 (029424.2506)generalized remediation token.
	However, in analogous art, Sundararam teach same field of code remediation. Sundararam teach identifying one or more fields of the application code package that correspond to a 23 of 2742396895Attorney Docket No. COF0146 (029424.2506)generalized remediation token (see Paragraph [0096] and FIG. 7, code remediation based on token and tokens include location information, line number, column and transaction set information).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Tsai et al to incorporate the teaching of Sundararam
using code remediation with tokens.
Motivation as recognized by one of ordinary skill in the art, to do so would user interface for selecting impact points for remediation by receiving remediated tokens (see Paragraph [0169-0171]).
Tsai et al and Sundararam do not teach outputting for review by a user, one or more options for remediation of the of the one or more fields of the application code package; and responsive to a selection of the one or more options, automatically applying remediation of the one or more fields of the application code package using the generalized remediation token according to a selected option.
However, Madou et al teach same field of vulnerability of code based on security analysis. Madou et al teach outputting for review by a user, one or more options for remediation of the of the one or more fields of the application code package (see Paragraph [0028-0030], where interface engine present vulnerability solution recommendation and to receive selection input for the one vulnerability solution recommendation);
 and responsive to a selection of the one or more options, automatically applying remediation of the one or more fields of the application code package using the generalized remediation token according to a selected option (see Paragraph [0028-0030], where receiving selection input for the one vulnerability solution recommendation. The vulnerability solution recommendations can further include one or more approach to fixing or mitigation the potential vulnerability).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Tsai et al to incorporate the teaching of Sundararam and further view of Madou et al using interface engine for selecting input for vulnerability solution recommendation.
Motivation as recognized by one of ordinary skill in the art, to do so would information associated with the possible vulnerability from statically analyzing code of the application can be detected see Paragraph [0029]. 
Regarding claim 11, modified Tsai et al in view of Sundararam and further view of Madou et al teach a method for automated remediation of application code using tokenized software code security vulnerabilities as claim 10, Tsai et al teach wherein identifying the one or more fields of the application code package that correspond to a generalized remediation token comprises: locating one or more fields of the application code package that include a security vulnerability defined by one or more generalized remediation tokens, wherein the one or more generalized remediation tokens are determined by: receiving initial vulnerability listings responsive to submissions of one or more initial code packages to one or more software security analysis tools (see Paragraph [0070], where find vulnerability from source code using SAST);
receiving subsequent vulnerability listings responsive to actual or potential remediations of the one or more initial code packages by the one or more software security analysis tools (see Paragraph [0075], where address any potential hard-code security vulnerability and code change recommendation after SAST finding (security analysis tools));
generating one or more differential listings comprising vulnerability remediation updates to the one or more initial code packages by the one or more software security analysis tools; and generating a generalized remediation token for each of the vulnerability remediation updates identified in the differential listings tools (see Paragraph [0075], where identify code under examination and SAST finding visualization, a proposed code change recommendation so that the develop can take further action to address any potential security vulnerability that may arise).
Regarding claim 12, modified Tsai et al in view of Sundararam and further view of Madou et al teach a method for automated remediation of application code using tokenized software code security vulnerabilities as claim 11.
Tsai et al do not teach wherein each of the vulnerability remediation updates identify one or more of: an associated library, a library method, a line, an initial value, and a subsequent changed value.
However, in analogous art, Sundararam teach same field of code remediation. Sundararam teach wherein each of the vulnerability remediation updates identify one or more of: an associated library, a library method, a line, an initial value, and a subsequent changed value (see Paragraph [0055], here generation include outputting lines of remediated source code in an appropriate).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Tsai et al to incorporate the teaching of Sundararam
using library, a library method, a line, an initial value, and a subsequent changed value.
Motivation as recognized by one of ordinary skill in the art, to do so would location information include line number, source code type and a source code can be showed (see Paragraph [0171]).
Regarding claim 13, modified Tsai et al in view of Sundararam and further view of Madou et al teach a method for automated remediation of application code using tokenized software code security vulnerabilities as claim 12.
Tsai et al do not teach wherein at least one of the fields of the application code package are remediated by replacement using the subsequent changed value of the remediation update associated with the one or more generalized remediation tokens.
However, in analogous art, Sundararam teach same field of code remediation. Sundararam teach wherein at least one of the fields of the application code package are remediated by replacement using the subsequent changed value of at least one of the vulnerability remediation updates associated with a corresponding generalized remediation token (see Paragraph [0096] and FIG. 7, code remediation based on token and tokens include location information, line number, column and transaction set information).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Tsai et al to incorporate the teaching of Sundararam
using code remediation with tokens.
Motivation as recognized by one of ordinary skill in the art, to do so would user interface for selecting impact points for remediation by receiving remediated tokens (see Paragraph [0169-0171]).
Regarding claim 14, modified Tsai et al in view of Sundararam and further view of Madou et al teach a method for automated remediation of application code using tokenized software code security vulnerabilities as claim 11, Tsai et al teach further comprising applying a weight to each field of the differential listings according to one or more of: a type of a vulnerability threat; and a severity of the vulnerability threat (see Paragraph [0074], where a scoring example is provided below, by applying different scores to each rule (or rule type) in the rule sets, the analyzer can enforce any type of weighting scheme. Moreover, the respective result sets from the separate engines may be consolidated as an intersection).
Regarding claim 15, modified Tsai et al in view of Sundararam and further view of Madou et al teach a method for automated remediation of application code using tokenized software code security vulnerabilities as claim 11, Tsai et al teach further comprising: determining similarities among the one or more generalized remediation tokens; pooling similar generalized remediation tokens; and storing the similar generalized remediation tokens in a repository (see Paragraph [0073], where tokens and relation are then processed by rule engine providing a different analytical focus).
Regarding claim 16, modified Tsai et al in view of Sundararam and further view of Madou et al teach a method for automated remediation of application code using tokenized software code security vulnerabilities as claim 11.
Tsai et al do not teach wherein the generalized remediation tokens are pooled according to remediated and unchanged action associated with the vulnerability remediation updates.
However, in analogous art, Sundararam teach same field of code remediation. Sundararam teach the generalized remediation tokens are pooled according to remediated and unchanged action associated with the vulnerability remediation updates (see Paragraph [0096] and FIG. 7, where code remediation based on token).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Tsai et al to incorporate the teaching of Sundararam
using code remediation with tokens
Motivation as recognized by one of ordinary skill in the art, to do so would user interface for selecting impact points for remediation by receiving remediated tokens (see Paragraph [0169-0171]).
Regarding claim 17, modified Tsai et al in view of Sundararam and further view of Madou et al teach a method for automated remediation of application code using tokenized software code security vulnerabilities as claim 11, Tsai et al teach wherein the one or more software security analysis tools belong to at least one of: Static Application Security Testing (SAST); Open Source Analysis (OSA); Dynamic Application Security Testing (DAST); and Interactive Application Security Testing (IAST) (see Paragraph [0070], where security analysis tools belong to SAST software).
Regarding claim 18, Tsai et al teach a non-transitory computer readable storage medium storing instructions that are configured to cause one or more processors to: receive initial vulnerability listings responsive to submissions of one or more initial code packages to one or more software security analysis tools (see Paragraph [0070], where find vulnerability from source code using SAST); 
receive subsequent vulnerability listings responsive to actual or potential remediations of the one or more initial code packages by the one or more software security analysis tools (see Paragraph [0075], where address any potential hard-code security vulnerability and code change recommendation after SAST finding (security analysis tools));
generate differential listings comprising vulnerability remediation updates to the one or more initial code packages by the one or more software security analysis tools (see Paragraph [0075], where identify code under examination and SAST finding visualization, a proposed code change recommendation so that the develop can take further action to address any potential security vulnerability that may arise); 
generate a generalized remediation token for each of the vulnerability remediation updates identified in the differential listings (see Paragraph [0073], where tokens and relation are then processed by a rule engine providing a different analytical focus); 
receive an application code package (see Paragraph [0072], where receive the source code);
 Tsai et al do not teach locate one or more fields of the application code package that include a security vulnerability defined by one or more of the generalized remediation tokens.
However, in analogous art, Sundararam teach same field of code remediation. Sundararam teach locate one or more fields of the application code package that include a security vulnerability defined by one or more of the generalized remediation tokens (see Paragraph [0076], where impact point represents as an indication of code location and further details (e.g. associated token that matched a token search pattern)); 
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Tsai et al to incorporate the teaching of Sundararam
using code remediation with tokens.
Motivation as recognized by one of ordinary skill in the art, to do so would user interface for selecting impact points for remediation by receiving remediated tokens (see Paragraph [0169-0171]).
Tsai et al and Sundararam do not teach output for review by a user, a menu of one or more options for remediation of the of the one or more fields of the application code package; and25 of 27 42396895Attorney Docket No. COF0146 (029424.2506)remediate the one or more fields of the application code package automatically according to a selected option using remediation updates associated with the one or more generalized remediation tokens.
However, Madou et al teach same field of vulnerability of code based on security analysis. Madou et al teach output for review by a user, a menu of one or more options for remediation of the of the one or more fields of the application code package (see Paragraph [0027], where interface engine present vulnerability solution recommendation and to receive selection input for the one vulnerability solution recommendation); 
and25 of 27 42396895Attorney Docket No. COF0146 (029424.2506)remediate the one or more fields of the application code package automatically according to a selected option using remediation updates associated with the one or more generalized remediation tokens (see Paragraph [0028-0030], where receiving selection input for the one vulnerability solution recommendation. The vulnerability solution recommendations can further include one or more approach to fixing or mitigation the potential vulnerability).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Tsai et al to incorporate the teaching of Sundararam and further view of Madou et al using interface engine for selecting input for vulnerability solution recommendation.
Motivation as recognized by one of ordinary skill in the art, to do so would information associated with the possible vulnerability from statically analyzing code of the application can be detected see Paragraph [0029]. 
Regarding claim 19, modified Tsai et al in view of Sundararam and further view of Madou et al teach the non-transitory computer readable storage medium of storing instructions remediation of application code using tokenized software code security vulnerabilities as claim 18.
Tsai et al do not teach wherein each of the vulnerability remediation updates identify one or more of: an associated library, a library method, a line, an initial value, and a subsequent changed value.
However, in analogous art, Sundararam teach same field of code remediation. Sundararam teach wherein each of the vulnerability remediation updates identify one or more of: an associated library, a library method, a line, an initial value, and a subsequent changed value (see Paragraph [0055], here generation include outputting lines of remediated source code in an appropriate).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Tsai et al to incorporate the teaching of Sundararam
using library, a library method, a line, an initial value, and a subsequent changed value.
Motivation as recognized by one of ordinary skill in the art, to do so would location information include line number, source code type and a source code can be showed (see Paragraph [0171]).
Regarding claim 20, modified Tsai et al in view of Sundararam and further view of Madou et al teach the non-transitory computer readable storage medium of storing instructions remediation of application code using tokenized software code security vulnerabilities as claim 19.
Tsai et al do not teach wherein the instructions are further configured to cause the one or more processors to replace at least one of the fields of the application code package with the subsequent changed value of the remediation update associated with a corresponding generalized remediation token.
However, in analogous art, Sundararam teach same field of code remediation. Sundararam teach the instructions are further configured to cause the one or more processors to replace at least one of the fields of the application code package with the subsequent changed value of the remediation update associated with a corresponding generalized remediation token (see Paragraph [0076], [0096] and FIG. 7, where impact point represent as an indication of code location and further details (e.g. associated token that matched a token search pattern) and code remediation based on token).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Tsai et al to incorporate the teaching of Sundararam
using library, a library method, a line, an initial value, and a subsequent changed value.
Motivation as recognized by one of ordinary skill in the art, to do so would location information include line number, source code type and a source code can be showed (see Paragraph [0171]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Greene et al (US 20120042383 A1) disclosed security tools designed to analyze for security vulnerability and tool-specific package comprises one or more security tools.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID HYUNGYU KIM whose telephone number is (571)272-0460. The examiner can normally be reached Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on (571)-273-8300. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/DAVID HYUNGYU KIM/Examiner, Art Unit 2499                                                                                                                                                                                                        /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499