Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This office action is in response to communication filed 8/4/2022. Claims 1-13 are currently pending and claims 14-20 are cancelled. Claims 1, 6, 7, 8, 10, and 11 are the independent claims. 

Claim Objections
The claims are objected to because the line spacing between and within the claims is inconsistent making reading difficult. For example, in claim 1 there is a blank/empty/skipped line between the preamble and the limitation “a set of package instance nodes…” but no line spacing between other limitations of the claim, there is no blank/empty/skipped line spacing between the last line of claim 1 and the first line of claim 2 but there is a blank/empty skipped line between the end of claim 2 and the first line of claim 3, there are blank/empty skipped lines within claims 6-11 and no blank/empty/skipped line spacing between claims 6-12, etc. For clarity, there should be consistent line spacing between claims and consistent line spacing within the claims. 
Claim 11 is further objected to because of the following informalities: 
It recites “…wherein the data structure providing an implicit representation of the package dependency tree that is smaller, in size, than an explicit representation of the package dependency tree”. Examiner would like to point out that, for grammar/clarity/etc., the wording/phrasing of this limitation should be “…wherein the data structure provides an implicit representation of the package dependency tree that is smaller, in size, than an explicit representation of the package dependency tree…”
 	Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-13 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
As per claim 1, it recites “…a set of package instance nodes, wherein each package instance node represents a different instance of a code package, wherein each package instance node comprising a package instance identifier and an instance metadata, wherein the package instance identifier is a unique identifier in the set of package instance nodes, wherein the instance metadata comprise a reference to a package record, wherein the package record representing a package, wherein the instance package is an instance of the package…”. Examiner would like to point out that while the claim 1 previously recites “package instance nodes”, “package”, etc., it does not previously recite “an instance package”, and as such there is insufficient antecedent basis for this limitation in the claims. For the purpose of examination the examiner will consider this limitation to be “…wherein the package record representing a package, wherein the package is an instance of the package…”.
As per dependent claims 2-5, they incorporate the deficiencies of independent claim 1, upon which they depend, and fail to correct the deficiencies of claim 1. Therefore dependent claims 2-5 are rejected for the same reasoning as claim 1, above. 
As per independent claims 6, it recites the limitation “A method for identifying all package instances of a target package in the data structure of Claim 1, the method comprising:…traversing connections in the package record to reach all package instance nodes in the set of package instance node that are connected to the package record…”.  Examiner would like to point out that, with broadest reasonable interpretation, the wording/phrasing of the claim “a method for identifying all package instances of a target package in the data structure of Claim 1” may be interpreted as “identifying all package instances of a target package in the data structure of Claim 1” is the intended use of the claimed method and not an explicitly recited/performed limitation. Additionally, examiner would like to point out that claim 1 is an independent claim reciting “A data structure retained on a non-transitory computer readable medium…” which goes on to recite “a set of package instance nodes” while claim 6 recites “A method for identifying…”, and while the intended use of the method of claim 6 may be identifying all package instances of a target package in the data structure of claim 1, the actual wording/phrasing of independent claim 6 does not require the obtaining/incorporating/etc. of the data structure of claim 1, and as such there is insufficient antecedent basis for the limitation “the set of package instance node…” of claim 6. For the purpose of examination, the examiner will consider claim 6 to recite “A method for identifying all package instances of a target package in the data structure of Claim 1, the method comprising: obtaining the data structure of claim 1;…traversing connections in the package record to reach all package instance nodes in the set of package instance node that are connected to the package record…”
As per independent claim 7, it recites “A method for identifying dependency paths to a target package instance in the data structure of Claim 1, the method comprising: obtaining a package instance node of the target package instance in the set of package instance nodes; and traversing the directed acyclic graph in a reverse direction...”. Examiner would like to point out that, with broadest reasonable interpretation, the wording/phrasing of the claim “A method for identifying dependency paths to a target package instance in the data structure of Claim 1” may be interpreted as “identifying dependency paths to a target package instance in the data structure of Claim 1” is the intended use of the claimed method and not an explicitly recited/performed limitation. Additionally, examiner would like to point out that claim 1 is an independent claim reciting “A data structure retained on a non-transitory computer readable medium…” which goes on to recite “a set of package instance nodes” while claim 7 recites “A method for identifying…”, and while the intended use of the method of claim 7 may be identifying dependency paths to a target package instance in the data structure of Claim 1, the actual wording/phrasing of independent claim 7 does not require the obtaining/incorporating/etc. of the data structure of claim 1, and as such there is insufficient antecedent basis for the limitation “the set of package instance nodes” and “the directed acyclic graph” of claim 7. For the purpose of examination, the examiner will consider claim 7 to recite “A method for identifying dependency paths to a target package instance in the data structure of Claim 1, the method comprising: obtaining the data structure of claim 1;…traversing connections in the package record to reach all package instance nodes in the set of package instance node that are connected to the package record…”
As per independent claim 8, it recites “A method comprising: obtaining, in a constant time complexity, all package node instances of a target package in the set of package node instances; for each package node instance of the target package, performing the method of Claim 7, whereby identifying all dependency paths to all instances of the target package within the data structure.” Examiner would like to point out that no “set of package node instances” is previously recited in claim 8, and as such there is insufficient antecedent basis for the limitation “the set of package node instances in the claim”. Additionally, the examiner would like to point out that while independent claim 8 recites the performance of the method of independent claim 7, claim 7 only recites that the intended use of the method of claim 7 is “identifying dependency paths to a target package instance in the data structure of claim 1”, and the claimed method itself of claim 7 does not explicitly recite/incorporate the data structure of claim 1, as seen above in the rejection of claim 7 under 35 USC 112(b), and as such there is insufficient antecedent basis for the limitation “identifying all dependency paths to all instances of the target package within the data structure”. For the purpose of examination the examiner will consider claim 8 to recite “A method comprising: obtaining the data structure of claim 1; obtaining, in a constant time complexity, all package instance nodes of a target package in the set of package instance nodes; for each package instance node of the target package, performing the method of Claim 7, whereby identifying all dependency paths to all instances of the target package within the data structure.”
As per claim 9, it incorporates the deficiencies of claim 8, upon which it depends, and fails to correct the deficiencies of claim 8. Therefore claim 9 is rejected for the same reasoning as claim 8, above. 
As per claim 9, it further recites “…wherein the suggestion is potentially different for different dependency paths.” Examiner is unclear as to whether the recited suggestion is or is not different for different dependency paths as the examiner understands “potentially” to mean that something could be/is possibly/may be/a possibility of/etc., and as such, with broadest reasonable interpretation, the wording/phrasing of “the suggestion is potentially different for different dependency paths” may mean that the suggestion could be different or the same/is possibly different or the same/etc. and as such the examiner is unclear as to what is meant by the suggestion is “potentially different” for different dependency paths. For the purpose of examination the examiner will consider this limitation to be “…the suggestion is different for different dependency paths.”
As per independent claims 10 and 11, they recite “obtaining the data structure of Claim 1…” and as such incorporate the data structure recited in claim 1 and the deficiencies of the data structure of claim 1, as seen above in the rejection of claim 1 under 35 USC 112(b), and fail to correct the deficiencies of claim 1. As such claims 10 and 11 are rejected for the same reasoning as claim 1, above. 
As per dependent claims 12-13, they incorporate the deficiencies of claim 11, upon which they depend, and fail to correct the deficiencies of claim 11. Therefore claims 12-13 are rejected for the same reasoning as claim 1, above. 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-6 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because:
As per independent claims 1, it recites “A data structure retained on a non-transitory computer readable medium, the data structure representing package dependencies in a computer program, wherein the data structure comprising:…”. The examiner would like to point out that, with broadest reasonable interpretation, the wording/phrasing of “A data structure retained on a non-transitory computer readable medium…” may be interpreted such that it is the “data structure” that is claimed, and not the “non-transitory computer readable medium”, and, with broadest reasonable interpretation, a “data structure” may be interpreted as software/code/etc., which is software per-se, and software per-se is not patent eligible under 35 USC 101. Examiner would like to recommend the wording/phrasing “A non-transitory computer readable medium storing a data structure, the data structure representing package dependencies in a computer program, wherein the data structure comprising…”. 
As per dependent claims 2-6, they incorporate the deficiencies of independent claim 1, upon which they depend, and fail to correct the deficiencies of claim 1. Therefore claims 2-6 are rejected for the same reasoning as claim 1, above. 

Claims 7-10 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 

As per claim 7, it recites “A method for identifying dependency paths to a target package instance in the data structure of Claim 1, the method comprising: obtaining a package instance node of the target package instance in the set of package instance nodes; and traversing the directed acyclic graph in a reverse direction, beginning at the package instance node of the target package instance, until reaching a root node of the directed acyclic graph representing a user code, whereby each traversal path is a different dependency path of the target package instance.”
The limitations of “A method for identifying dependency paths to a target package instance in the data structure of Claim 1, the method comprising: obtaining a package instance node of the target package instance in the set of package instance nodes; and traversing the directed acyclic graph in a reverse direction, beginning at the package instance node of the target package instance, until reaching a root node of the directed acyclic graph representing a user code”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. That is, nothing in the claim precludes the step from practically being performed in the mind. For example, the context of this claim covers a user manually/mentally/with pen and paper/etc. evaluating/analyzing/traversing a directed acyclic graph in reverse direction/from a manually/mentally/etc. determined/chosen/identified/obtained node/package instance node/etc. of a set of nodes to a root node/etc. of the set of nodes, and determining/evaluating/deciding/identifying/etc. dependency paths as the paths taken through the traversing/paths evaluated/analyzed/etc. through the graph/etc. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
The judicial exception is not integrated into a practical application. In particular, the claim recites the additional elements of “whereby each traversal path is a different dependency path of the target package instance”, which, with broadest reasonable interpretation, only clarifies that analyzed/evaluated/judged/traversed/etc. paths through the directed acyclic graph are different dependency paths, which is only providing further clarification as to the identified dependency paths resulting/output/determined/etc. from performing the abstract idea/mental process/analyzing/evaluating/judging/traversing of the graph/etc., and as such does not integrate the abstract idea into a practical application as it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of “whereby each traversal path is a different dependency path of the target package instance”, with broadest reasonable interpretation, only clarifies that analyzed/evaluated/judged/traversed/etc. paths through the directed acyclic graph are different dependency paths, which is only providing further clarification as to the identified dependency paths resulting/output/determined/etc. from performing the abstract idea/mental process/analyzing/evaluating/judging/traversing of the graph/etc., which does not provide an inventive concept and as such is not significantly more than the judicial exception/abstract idea/mental process. The claim is not patent eligible. 

As per claim 8, it recites “A method comprising: obtaining, in a constant time complexity, all package node instances of a target package in the set of package node instances; for each package node instance of the target package, performing the method of Claim 7, whereby identifying all dependency paths to all instances of the target package within the data structure.”
The limitations of “for each package node instance of the target package, performing the method of Claim 7” recites performing the judicial exception/mental process/abstract idea recited in claim 7, and as such recites/is directed to/etc. an abstract idea/mental process/judicial exception for the same reasoning as claim 7, and is therefore rejected for the same reasoning as claim 7, above. 
This judicial exception is not integrated into a practical application. In particular, the claim recites the additional elements of “obtaining, in a constant time complexity, all package node instances of a target package in the set of package node instances”, and “whereby identifying all dependency paths to all instances of the target package within the data structure”, which, with broadest reasonable interpretation, only recite further clarification of the package nodes instances determined/identified/chosen/decided/obtained/etc. as a starting point/beginning/etc. of the analyzing/evaluating/judging/traversing of the directed acyclic graph, and further clarification as to the identified dependency paths resulting/output/determined/etc. from performing the abstract idea/mental process/analyzing/evaluating/judging/traversing of the graph/etc., and as such does not integrate the abstract idea into a practical application as it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of “obtaining, in a constant time complexity, all package node instances of a target package in the set of package node instances”, and “whereby identifying all dependency paths to all instances of the target package within the data structure”, with broadest reasonable interpretation, only further clarifies the package nodes instances determined/identified/chosen/decided/obtained/etc. as a starting point/beginning/etc. of the analyzing/evaluating/judging/traversing of the directed acyclic graph, and further clarifies the identified dependency paths resulting/output/determined/etc. from performing the abstract idea/mental process/analyzing/evaluating/judging/traversing of the graph/etc., and as such does not provide an inventive concept and therefore is not significantly more than the judicial exception/abstract idea/mental process. The claim is not patent eligible.
As per dependent claim 9, it incorporates the deficiencies of claim 8, upon which it dependents, and further recites “…wherein the target package is a package having a vulnerability according to a flaws database, wherein the method further comprises: determining a potential mitigation action for the vulnerability and providing a suggestion to perform the potential mitigation action in order to remove the vulnerability, wherein the suggestion is potentially different for different dependency paths”, which, with broadest reasonable interpretation, conceptually, provides further clarification as to the target package on which the mental process/judicial exception/abstract idea is performed, and further recites the additional limitation of “determining a potential mitigation action for the vulnerability and providing a suggestion to perform the potential mitigation action in order to remove the vulnerability, wherein the suggestion is potentially different for different dependency paths”, which, with broadest reasonable interpretation, recites a further process that may be practically performed in the mind, ex: a user/human may mentally/manually/with pen and paper/etc. determine/decide/identify/etc. multiple/plural/different/etc. actions to mitigate/correct/fix/etc. vulnerabilities and output/suggest/provide the determined/identified/decided/etc. actions. As such, with broadest reasonable interpretation, these additional limitations do not integrate the abstract idea into a practical application as they do not impose any meaningful limits on practicing the abstract idea, nor do they amount to significantly more than the abstract idea/mental process/judicial exception as they do not provide an inventive concept. As such, with broadest reasonable interpretation, claim 9 fails to correct the deficiencies of claim 8, and is not patent eligible. 

As per claim 10, it recites “A method comprising: obtaining the data structure of Claim 1, wherein the package record comprises license information of the package represented by the package record; determining one or more licenses governing over the computer program or portion thereof; and outputting an indication of the one or more licenses to a user.”
The limitations “obtaining the data structure of Claim 1, wherein the package record comprises license information of the package represented by the package record; determining one or more licenses governing over the computer program or portion thereof”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind/nothing in the claim precludes the steps from being practically performed in the mind/with pen and paper/etc. For example, a user/human/etc. may mentally/manually/with pen and paper analyze/evaluate/judge/etc. received/obtained/etc. data/information/data structures that include/comprise license information and decide/determine/identify/etc. licenses. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application. In particular, the claim recites the additional element of “outputting an indication of the one or more licenses to a user” which, with broadest reasonable interpretation, conceptually, only clarifies that the result of performing the abstract idea/mental process/judicial exception/the identified/determined/decided/etc. licenses are output/provided/etc. to a user, and as such only clarifies a post solution activity to the performance of the mental process/abstract idea. Accordingly, the additional element does not integrate the abstract idea/mental process into an practical application as it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. 
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of “outputting an indication of the one or more licenses to a user” only clarifies that the result of performing the abstract idea/mental process/judicial exception/the identified/determined/decided/etc. licenses are output/provided/etc. to a user, and as such only amounts to a post solution activity to the performance of the mental process/abstract idea, which does not provide an inventive concept and therefore is not significantly more than the abstract idea/mental process/judicial exception. The claim is not patent eligible. 

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1 and 7 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Pape et al. (herein called Pape) (US PG Pub. 2020/0004528 A1)

	As per claim 1, Pape anticipates: a data structure retained on a non-transitory computer readable medium, the data structure representing package dependencies in a computer program (fig. 6, pars. [0002], [0037], [0069]-[0070], dependency graph/tree representing dependencies between packages of code files/computer program), wherein the data structure comprising: 
a set of package instance nodes, wherein each package instance node represents a different instance of a code package, wherein each package instance node comprising a package instance identifier and an instance metadata, wherein the package instance identifier is a unique identifier in the set of package instance nodes, wherein the instance metadata comprise a reference to a package record, wherein the package record representing a package, wherein the instance package is an instance of the package (fig. 6, pars. [0002], [0015]-[0016], [0030]-[0032], [0037], [0046], [0069]-[0070], code files are organized into packages/versions of package/etc. which have dependencies on other packages and are organized into dependency graph/tree (data structure representing package dependencies in a computer program), as seen in fig. 6 the packages are the nodes of the tree/graph and lines/edges between the packages/nodes on the graph/tree represent dependencies between packages and as such the packages having dependency relationships on the tree/graph are a set of package instance nodes making up the nodes of the graph/tree wherein each package instance node represents a different instance of a code package/different package/different version of package/etc.; each package/package instance node has/comprises a unique version number (package instance identifier that is a unique identifier in the set of package instance nodes) and includes a package manifest containing information about the package such as a record of dependency relationships with other packages and appropriate versions of other packages for each dependency of the package (instance metadata comprising a reference to a package record representing a package ), and there may be multiple versions of packages and as such the package is an instance/version of the package.); 
wherein the set of package instance nodes comprise at least two package instance nodes that represent different instances of a same package (fig. 6 item 604, pars. [0020], [0047]-[0048], [0070], there may be multiple/different/upgraded/new/etc. versions of a package existing at a time (at least two package instance nodes representing different instances/versions of a same package) and dependency graph/tree may have multiple versions of package, ex: fig. 6 item 604 shows dependency tree/graph which has a node for package D2 and a node for new version D3, as such the set of package instance nodes comprise at least two package instance nodes representing different instances/versions of a same package.); 
a set of edges connecting package instance nodes of the set of package instance nodes, wherein an edge from a source node to a target node represents a dependency relationship of a package represented by the source node on a package represented by the target node (fig. 6, pars. [0017], [0069]-[0070], packages/versions of packages/instances of packages/etc. have dependencies on other packages/instances/versions/etc. and dependency tree/graph shows dependencies between packages/versions/instances/etc., and as seen in fig. 6, packages/versions/instances are represented as nodes on the graph/tree and edges/lines/arrows/etc. connecting/between/etc. the nodes/packages/instances/versions show the dependencies between the packages/node/instances/versions, ex: dependency tree 602 shows dependency in which package/node C2 (version 2 of package C) depends on packages/nodes A2 and B2, both of which depend on package D2, dependency tree 604 shows packages/nodes/multiple versions D2 and D3 of package D upon which packages A3 and B2, depend, etc., as such the lines/arrows/edges of the dependency graphs/trees are a set of edges that connect package instance nodes/packages represented as nodes on the graph/tree and each line/edge/arrow on the graph represents a dependency relationships of source node/package to a target node/shows that a source node representing a package (ex: node/package C2 in 602) is dependent on a target node/package/etc. (ex: node/package B2/A2 in item 602).); and 
wherein the data structure forming a directed acyclic graph representing a package dependency tree (fig. 6, pars. [0069]-[0070], dependency trees/directed acyclic graphs/etc. showing dependencies between packages).

As per claim 5, Pape further anticipates: wherein the instance metadata comprise information relating to package provenance, wherein the package record comprise information regarding at least one of: location of the package, a maintainer of the package, a description of the package, and one or more keywords related to the package (pars. [0031]-[0032], package manifest/instance metadata includes/records/comprises information about the package such as a unique version number of the package/instance, dependency relationships the package has with other packages and version numbers of other packages for each dependency, etc. (instance metadata/package manifest comprises information relating to package provenance and comprises information regarding a description of the package/dependency relationships of package/unique version number of package/etc.).

As per claim 7, Pape further anticipates a method for identifying dependency paths to a target package instance in the data structure of Claim 1, the method comprising: 
obtaining a package instance node of the target package instance in the set of package instance nodes (pars. [0037]-[0042], depth first searching analyzes dependency graph and starts by selecting first unsolved package in dependency graph  (obtain package instance node of target package instance in the set of package instance nodes of dependency graph).); and 
traversing the directed acyclic graph in a reverse direction, beginning at the package instance node of the target package instance, until reaching a root node of the directed acyclic graph representing a user code, whereby each traversal path is a different dependency path of the target package instance (pars. [0039]-[0042], depth first search of dependency graph (traversing/searching directed acyclic graph/dependency graph in reverse direction/depth first) identifies all versions of selected/obtained etc. package and starts at newest version of package (beginning at package instance node of the target package instance), identifies all/different/etc. dependencies of package/packages on which the package is dependent, and iterates through dependencies to determine/solve/etc. all dependencies (traverse/search graph depth first/in reverse direction until reaching a root node/node package is dependent on/etc. of directed acyclic graph/tree representing a user code, and each/all/different/etc. traversal path is different dependency path of target package instance/all dependencies are determined.).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2 is rejected under 35 U.S.C. 103 as being unpatentable over Pape et al. (herein called Pape) (US PG Pub. 2020/0004528 A1) and Furusho (US PG Pub. 2008/0270435 A1).

As per claim 2, while Pape teaches that the packages/package instances have unique version number/identifiers (ex: pars. [0032]), are nodes on a dependency graph/tree (ex: fig. 6), and that the dependency tree/graph is searched in a depth first/reverse order search (ex: pars. [0039]-[0042]) it does not explicitly state, however teaches: 
wherein the package instance identifier of a package instance node that has one or more children nodes is computed based on package instance identifiers of the one or more children nodes (pars. [0023]-[0024], [0027]-[0028], [0055], [0057], [0108], tree/graph data structure consists of nodes having parent-child relationships (dependency graph/tree/acyclic dependency graph in which packages are the nodes from Pape), nodes have identifiers assigned to them, and node identifier of parent node is drawn/looked up (computed) from/based on the node identifier of the child node (package instance identifier of a package instance node/parent node has one or more children node/child node, and identifier of parent node/package instance identifier of package instance node is computer/drawn/looked up/etc. based on package instance identifiers/node identifiers of the one or more children node/child node).).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to add wherein the package instance identifier of a package instance node that has one or more children nodes is computed based on package instance identifiers of the one or more children nodes, as conceptually taught by Furusho, into that of Pape because these modification allow for an effective and efficient method of identifying/determining parent nodes/packages of child nodes/packages in a dependency tree/graph, which is desirable as it helps ensure that parent nodes/packages are correctly identified when searching/determining dependencies thereby helping to ensure that all parent packages/nodes and dependencies are identified/determined and helping to prevent errors that may occur due to incorrectly identifying parent nodes/dependencies.  

Claims 6 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Pape et al. (herein called Pape) (US PG Pub. 2020/0004528 A1) and Salemink et al. (herein called Salemink) (US PG Pub. 2008/0114735 A1).

As per claim 6, Pape teaches a method for identifying all package instances of a target package in the data structure of Claim 1, the method comprising: 
obtaining a package record of the target package (fig. 6, pars. [0029]-[0033], [0045]-[0048], [0069]-[0070], package is received that has package manifest which includes/records dependency relationships with other packages/version numbers for each dependency with another package/etc. which are shown in dependency tree/graph  (obtain package record/manifest/dependency relationships/dependency tree/graph/etc. of the target package).); and 
traversing connections in the package record to reach all package instance nodes in the set of package instance node that are connected to the package record (fig. 6, pars. [0037]-[0042], [0058], [0069]-[0070], depth first search is performed on dependency graph/tree for package having packages as nodes and dependencies as edges/lines/arrows (connections/dependencies in package records/manifest/dependency graph/tree/etc.) using algorithms/depth first search algorithms (traverse/search/etc. connections/dependencies in the package record/dependency graph/tree/recorded dependencies in the manifest/etc.) and all dependencies of packages are found for all versions of package (all package instance nodes in the set of package instance node that are connected to the package record are reached).).
While Pape teaches using algorithms to perform a search of the dependencies/dependency tree/dependency graph to identify dependencies of package instances/versions, it does not explicitly state, Salemink however teaches:
whereby said identifying is performed in a constant time complexity (pars. [0028], [0034], objects are groups of data/code (package from Pape) and are managed/stored/etc. as leaves of index trees (nodes of dependency trees of Pape) which results in search complexity being time-constant, and as Pape teaches searching/traversing dependency trees/graph to identify package instances, the dependency tree with packages as nodes of Pape may be a index tree with objects/groups of code/packages as leaves resulting in time-constant search of Salemink, and as such it is obvious that the identifying is performed in a constant time complexity.).
	Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to add whereby said identifying is performed in a constant time complexity, as conceptually taught by Salemink, into that of Pape because these modifications allow for the packages/code/etc. to be managed/stored/etc. in a manner that allows for fast, effective, and efficient  searching/identifying thereby helping to ensure that packages, dependencies, etc. are correctly determined in an efficient manner, thereby helping to save time when performing searching and prevent errors that may occur to incorrectly determining packages/dependencies.

As per claim 8, Pape teaches: a method comprising: 
obtaining all package node instances of a target package in the set of package node instances (pars. [0037], [0040], depth first search of dependency graph/tree first identifies all available versions for package (obtain/identify all package node instances/all available versions of package in dependency graph/tree).); 
for each package node instance of the target package (pars. [0041]], depth first search is performed/attempted for all versions of packages (for each package node instance of the target package)), performing the method of Claim 7 (see rejection of claim 7, above), 
whereby identifying all dependency paths to all instances of the target package within the data structure (pars. [0040]-[0041], depth first search of dependency graph/tree/data structure identifies all dependencies of package and is performed/attempted for all versions of packages, as such it is obvious that all dependency paths to all instances of the target package within the data structure/graph/tree are identified.).
While Pape teaches using algorithms to perform a search of the dependencies/dependency tree/dependency graph and that the search first identifies/obtains all available versions/all package node instances of a target package (as seen above), it does not explicitly state, however Salemink teaches: 
obtaining, in a constant time complexity, all package node instances of a target package in the set of package node instances (pars. [0028], [0034], objects are groups of data/code (package from Pape) and are managed/stored/etc. as leaves of index trees (nodes of dependency trees of Pape) which results in search complexity being time-constant, and as Pape teaches searching/traversing dependency trees/graph which includes identifying/obtaining all versions of package/all package node instances of target package/etc., the dependency tree with packages as nodes of Pape may be a index tree with objects/groups of code/packages as leaves resulting in time-constant search of Salemink, and as such it is obvious that the obtaining/identifying of all package node instances of target package/all available versions of package/etc. is performed in a constant time complexity.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to add obtaining, in a constant time complexity, all package node instances of a target package in the set of package node instances, as conceptually taught by , into that of Pape, because these modifications allow for the packages/code/etc. to be managed/stored/etc. in a manner that allows for fast, effective, and efficient searching/identifying of packages/package node instances/etc. thereby helping to ensure that packages are correctly determined in an efficient manner, thereby helping to save time when performing searching and prevent errors that may occur to incorrectly determining packages.

Claims 9 is rejected under 35 U.S.C. 103 as being unpatentable over Pape et al. (herein called Pape) (US PG Pub. 2020/0004528 A1) and Salemink et al. (herein called Salemink) (US PG Pub. 2008/0114735 A1) in further view of Weigert et al. (herein called Weigert) (US Patent 8,572,093 B2).

As per claim 9, Pape does not explicitly state, however Weigert teaches:
wherein the target package is a package having a vulnerability according to a flaws database (col. 4 lines 1-20, col 8 lines 5-67, col 12 lines 43-67, col. 13 lines 15-60, software package (target package) is reviewed and compliance issues (vulnerability) is determined by comparing license information of software package to license information in license database (vulnerability/compliance issue according to flaws database) and provided in compliance report provided to officer/reviewer/user.), 
wherein the method further comprises: determining a potential mitigation action for the vulnerability and providing a suggestion to perform the potential mitigation action in order to remove the vulnerability (col. 4 lines 10-22, col 13 lines 20-42, col 14 lines 40-55, col. 28 lines 28-40, remediation of compliance issues is managed by reviewer/user/etc. and workflow processing platform guides users through remediation process (determine potential mitigation action/remediation process for vulnerability/compliance issue and provides suggestion to perform the potential mitigation action/guide users through remediation process in order to remove the vulnerability).), 
wherein the suggestion is potentially different for different dependency paths (col. 13 lines 15-40, col. 15 lines 45-65, col 28 lines 15-40, 52-67, dependency information/package dependencies/etc. (dependency paths) of software/package being reviewed is used to generate dependency graph, debug information, legal implications, etc. for packages for packages on a per product/per package/build target/etc. basis which are reviewed to determine compliance issues of the particular package, and remediation/mitigation is performed for compliance issues for particular software components/package/etc. that was reviewed. As particular package being reviewed includes dependencies/dependency path for the particular package which is used to determine compliance issue/vulnerability on per package/product/etc. basis, which are remediated/mitigated for the particular package, it is obvious that different packages/particular packages would have different dependencies in them and different compliance issues which would be mitigated/remediated on a per pacakage/particular package basis (i.e. each package would have its own remediation actions determined and its own dependencies/dependency paths), and as such the remediation/suggested mitigation is different for the different dependency paths/is determined for each particular package having its own dependencies/dependency paths/etc..).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to add wherein the target package is a package having a vulnerability according to a flaws database, wherein the method further comprises: determining a potential mitigation action for the vulnerability and providing a suggestion to perform the potential mitigation action in order to remove the vulnerability, wherein the suggestion is potentially different for different dependency paths, as conceptually taught by Weigert, into that of Pape and Salemink, because these modifications allow for vulnerabilities/compliance issues in the software/package/etc. to be determined and mitigated/corrected/etc., which is desirable as it helps prevent errors/issues/etc. and helps ensure that the software/package/code operates correctly.

Claims 10 is rejected under 35 U.S.C. 103 as being unpatentable over Pape et al. (herein called Pape) (US PG Pub. 2020/0004528 A1) and Weigert et al. (herein called Weigert) (US Patent 8,572,093 B2).

As per claim 10, Pape teaches: a method comprising: 
obtaining the data structure of Claim 1 (see rejection of claim 1 above). 
While Pape teaches that packages are stored in repository and include a manifest/record containing information about the package (ex: par. [0031) Pape does not explicitly state, however Weigert teaches:
 	wherein the package record comprises license information of the package represented by the package record (col. 3 lines 5-30, col. 8 lines 5-45, col. 13 lines 43-65, software package in repository/database/etc. is reviewed/scanned/etc. for license information (package record comprises license information of package) which is reviewed to determine reliability of license information/compliance issues/etc. and a report of license is constructed.); 
determining one or more licenses governing over the computer program or portion thereof (col. 3 lines 5-30, col. 8 lines 5-45, col. 13 lines 43-65, license information such as open source license, third party license, etc. of software package is determined/scanned/etc. and reviewed (determine license governing over/of computer program or portion thereof/of software package).); and 
outputting an indication of the one or more licenses to a user (col. 6 line 63-col. 7 line 20, col. 12 line 64-col. 13 line 15, license review system creates reports/compliance report is created that includes/identifies licenses of software components of package, compliance issues for software, etc. whicha re reviewed by officer/authorized reviewer/etc. (output indication of licenses/report identifying licenses of software/package  to user/reviewer/officer).).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to add wherein the package record comprises license information of the package represented by the package record; determining one or more licenses governing over the computer program or portion thereof; and outputting an indication of the one or more licenses to a user, as conceptually taught by Weigert, into that of Pape because these modifications allow for software/packages/etc. to be reviewed to determine license and ensure license compliance, which is desirable as it helps prevent issues/errors/etc. that may occur due to using unlicensed software/software that is not correctly licensed/etc. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DOUGLAS M SLACHTA whose telephone number is (571)270-0653. The examiner can normally be reached Monday-Friday 6:30am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do can be reached on 571-272-3721. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/DOUGLAS M SLACHTA/           Examiner, Art Unit 2193