DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/25/2022 has been entered.
 
Response to Amendment
The Amendment filed on 09/26/2022 has been entered. 
Claims 1, 8 and 15 are amended.
Claims 1-20 are pending of which claims 1, 8 and 15 are independent claims.

Response to Arguments
The applicant's arguments filed on 09/26/2022 have been fully considered but the arguments are essentially directed towards the newly introduced limitations and they are addressed in this Office Action, below.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim 1-2, 4, 6, 8-9, 11, 13, 15-16, 18 and 20 are 35 U.S.C. 103 as being unpatentable over Peyton, Jr. et al. (Pub. No.: US 2018/0137279, hereinafter Peyton) in view of Peyton et al. (Pub. No.: US  2008/0072214, hereinafter Peyton+).
Regarding claim 1: Peyton discloses A computer-implemented method for testing source code changes, comprising:
generating an incremental intermediate representation of a security vulnerability fix to repair an identified security vulnerability of a source code application (Peyton - [0022]: As shown in block 204, processor 501 causes change detector 106 to detect files that have been modified, files that have been newly added to the application, and files that have been deleted from the application since the previous scan. Processor 501 then parses any changed files and generates a partial scan state or “incremental” IR);
generating a merged intermediate representation by merging the incremental intermediate representation with a full intermediate representation of a previous version of the source code application (Peyton - [0023]: processor 501 causes intermediate merger 110 to merge the previous scan state 120 with the incremental IR 124, as shown in block 206);
generating a security assessment for the security vulnerability fix based on the security vulnerability analysis (Peyton - [0031]: Processor 501 identifies the call-graphs that contain the changed functions in 127, and runs the iterative taint-flow analysis only on these call-graphs and get security findings provided to assessment merger 114).
However, Peyton doesn’t explicitly teach but Peyton+ discloses:
performing a flow-insensitive analysis on the merged incremental intermediate representation to generate (Peyton+ - [0083]: The flow-insensitive analysis 14 derives a vulnerability lattice for each non-integral type variable or expression and an integral lattice for each integral type variable or expression): 
a variable model about a variable in the source code application, wherein the variable model comprises a variable lattice that represents a plurality of characteristics of the variable (Peyton+ - [0084]: The flow begins with an initial test 36 to determine if the variable being analyzed is an array or structure), and wherein generating the variable model is performed in response to a determination that the variable in the source code application is visible to a different routine of the source code application (Peyton+ - [0085]: If the variable is visible to other routines or passed into other routines as an argument, the vulnerability lattice for the variable is set. [0036]: A flow-insensitive analysis 14 analyzes the IR and derives models about each variable in the code. These models are specified in lattice form and called vulnerability lattices. (Lattices in general are known.)); and 
a state model comprising a state lattice that represents a plurality of states of a simulated execution of the source code application (Peyton+ - [0229]: the traversal of the call graph begins. This iterates over the call graph (with the pruning described above) to determine how the Vulnerability Lattices will be changed or refined. This iteration is context sensitive so that the Vulnerability Lattices are refined to model the range of values variables may have from the constrained universe of call graph possibilities expressed by the source code and modeled by the call graph); 
performing a security vulnerability analysis on the security vulnerability fix based on the variable model and the state model (Peyton+ - [0230]: the Vulnerability Lattices are more refined to include the interprocedural effects. The Vulnerability lattices may then be used in conjunction with the database to identify whether routine calls present vulnerabilities);
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Peyton with Peyton+ so that variable and state models are generated and used to identify potential vulnerabilities. The modification would have allowed the system to perform incremental static program analysis.
Regarding claim 2: Peyton as modified discloses further comprising generating an impact graph based on the merged incremental intermediate representation (Peyton - [0024]: At block 208, processor 501 can cause Incremental Analyzer 112 to use the function-level changes computed in block 206 to compute an impact graph), wherein the impact graph identifies:
one or more changed routines comprising changes related to the security vulnerability fix (Peyton - [0024]: The impact graph includes all the changed functions and additional functions that may have been affected by those changed functions); and
one or more calling routines that call the changed routines (Peyton - [0026]: a call can be a simple call or a virtual call. For example incremental analyzer 112 can be configured to set a simple-call to include variables for a caller, a callee, and a variable for arguments).
Regarding claim 4: Peyton as modified discloses further comprising updating the security vulnerability analysis by removing one or more findings that are not associated with the methods related to the security vulnerability fix (Peyton - [0030]: Using this merge algorithm, processor 501 is configured to build lists of modified, newly added and deleted functions (e.g., call-graphs that contain, if any, changed functions 127). Accordingly, processor 501 can update all references (such as calls) to these functions and apply the intermediate IR 125 output to build a whole-application call-graph), wherein removing the one or more findings that are not related to the impact graph comprises:
selecting a trace from the security vulnerability analysis; determining the trace is not related to the impact graph; and removing the trace from the security vulnerability analysis (Peyton - [0030]: processor 501 is configured to build lists of modified, newly added and deleted functions (e.g., call-graphs that contain, if any, changed functions 127). Accordingly, processor 501 can update all references (such as calls) to these functions and apply the intermediate IR 125 output to build a whole-application call-graph).
Regarding claim 6: Peyton as modified discloses wherein performing the security vulnerability analysis comprises:
generating a finding that the security vulnerability fix has a found security vulnerability; and generating a trace for the finding (Peyton + - [0230]: The results of the analysis may then be reported to a software developer in any of a variety of ways including printed or displayed reports. These reports may be used to identify the specific type of vulnerability (as discussed above or as discussed in the related applications) and identify the portions of code (including Tainted Traces) that may be the cause of the potential vulnerability).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Peyton with Peyton+ so that findings for the security vulnerability is reported. The modification would have allowed the system to identify whether routine calls present vulnerabilities.
Regarding claims 8-9, 11 and 13: Claims are directed to computer readable medium claims and do not teach or further define over the limitations recited in claims 1-2, 4 and 6. Therefore, claims 8-9, 11 and 13 are also rejected for similar reasons set forth in claims 1-2, 4 and 6. 
Regarding claims 15-16, 18 and 20: Claims are directed system claims and do not teach or further define over the limitations recited in claims 1-2, 4 and 6. Therefore, claims 15-16, 18 and 20 are also rejected for similar reasons set forth in claims 1-2, 4 and 6. 

Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Peyton, Jr. et al. (Pub. No.: US 2018/0137279, hereinafter Peyton) in view of Peyton et al. (Pub. No.: US  2008/0072214, hereinafter Peyton+) and Foley et al. (Pub. No.: US 2015/0067861, hereinafter Foley).
Regarding claims 3, 10 and 17: Peyton as modified discloses wherein generating the incremental intermediate representation comprises:
identifying one or more files for the source code application that are changed for the security vulnerability fix (Peyton - [0019]: System 100 further includes an incremental IR generator 108 that receives variable and method types 118 from full scan 104 and computes an incremental intermediate representation (incremental IR) 124 for changed files);		
However Peyton as modified doesn’t explicitly teach, but Foley discloses: identifying one or more lines of source code in the source code application that are changed for the security vulnerability fix (Foley - [0030]: records of each change made to a particular set of source code and that identify, for each change, what lines of code were changed).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Peyton and Peyton+ with Foley so that lines changed in a source code is identified. The modification would have allowed the system to identify what lines of code is change. 

Claims 5, 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Peyton, Jr. et al. (Pub. No.: US 2018/0137279, hereinafter Peyton) in view of Peyton et al. (Pub. No.: US  2008/0072214, hereinafter Peyton+) and Plate et al. (Pub. No.: US 2017/0255544, hereinafter Plate).
Regarding claims 5, 12 and 19: Peyton as modified doesn’t explicitly teach but Plate discloses further comprising removing a finding associated with the removed trace from the security vulnerability analysis (Plate - [0032]: the complete call graph is processed to remove any nodes, whose execution will never lead to the execution of vulnerable open-source functions).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Peyton and Peyton+ with Plate so that the call graph will remove any node that is not used. The modification would have allowed the system to increase performance.

Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Peyton, Jr. et al. (Pub. No.: US 2018/0137279, hereinafter Peyton) in view of Peyton et al. (Pub. No.: US  2008/0072214, hereinafter Peyton+) and McGee et al. (Pub. No.: US 2016/0378993, hereinafter McGee).
Regarding claims 7 and 14: Peyton as modified doesn’t explicitly teach but McGee discloses wherein the security assessment comprises:
a fix indication whether the security vulnerability fix repairs the found security vulnerability; and
an additional indication whether the security vulnerability fix introduces an additional security vulnerability (McGee - [0041]: a product development update may indicate that a security vulnerability was fixed in the most recent patch, while the results of a test performed after the patch was applied may indicate that the security vulnerability still exists).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Peyton and Peyton+ with McGee so that the security assessment is performed. The modification would have allowed the system to enhance security.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Wasiq et al. (Patent No.: US 10,409,995) - End-to-end change tracking for triggering website security review
Norrman et al. (Pub. No.: US 2011/0055566) - Systems and methods for automatic software testing
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/MENG LI/
Primary Examiner, Art Unit 2437