Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
EXAMINER’S NOTE: The claims have been reviewed and considered under the new guidance pursuant to the 2019 Revised Patent Subject Matter Eligibility Guidance (PEG 2019) issued January 7, 2019.
This communication is in response to Applicant’s Amendment filed on 17 November 2025. Claims 1-3, 5, 15-17, 19-22, 25, and 28-29 have been amended. Claims 1-29 remain pending.
Response to Arguments
Applicant's arguments, pages 11-17, filed on 17 November 2025, with respect to the rejection of claims 1-4, 15-16, 19-24, and 28-29 in view of Yang et al. and Gondi, claims 5-11, 17-18, and 25-27 in view of Chan, and claims 12-14 in further view of Singh et al. have been fully considered, but are moot in view of the new grounds of rejection.
A new grounds of rejection is hereby presented in view of Trabelsi et al. (Pub No. 2021/0240834) for teaching newly amended claim limitation – “performing an initial scan of code, storing the published code in a version control repository system”.
In light of the previous 112, 1st paragraph rejection, the claims have been amended to overcome the rejection, therefore the rejection has been withdrawn.
The previous claim interpretation under 112 (f) for claims 28-29 still applies. The use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Therefore, the claim interpretation will be maintained.
In light of the Applicant’s arguments for claims 1, 19, 21, and 28, the Applicant traverses that the prior art, Yang et al. in view of Gondi fail to disclose the claimed limitation of running a security scan on the code in response to the obtaining the command to download the code and while it is quarantined, wherein the published code and security scanned code is the same code.
The Examiner respectfully disagrees and asserts that Yang et al. discloses a method and system for quarantining source code scanning to prevent confidential information exposure from being downloaded by conducing security scanning in a quarantine area, wherein downloading code with vulnerabilities is unpermitted as disclosed in the Abstract, paragraph 17 and 23.
The security scanning in a quarantine area disclosed by Yang et al. is similar to one of the embodiments that address the deficiencies disclosed in the Applicant’s specification, which prevents only vulnerable code upload but not vulnerable code download (See Applicant’s specification, paragraph 17).
Yang et al. discloses a Git repository that uses a protocol called Git wherein before the code is downloaded from the Git repository as disclosed the code is put into a quarantined area. The Git actions are disclosed as a git push or pull command and responsive to the git push, the pushed code is stored in a quarantine area, which is a private and isolated area contained within the repository and initiates one or more security scans as disclosed in paragraph 35.
Yang et al. discloses storing code in a quarantine area wherein quarantined codebases can be pulled by one or more permitted users but cannot be accessed by unpermitted users. This will prevent a Git client from presenting, displaying, accesses, or provide web code that contains unpermitted codebases and prevent unpermitted users from pulling (i.e., downloading or cloning) restricted quarantined codebases from being downloaded as disclosed in paragraph 23. The quarantine area is a sandbox that isolates the code from the Git repository as disclosed in paragraph 24.
Yang et al. discloses a git hook that can be combined with scanning scripts wherein running the security scan employing a script to carry out a static application security testing (SAST) is disclosed in paragraph 27.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1, 19, 21, and 28 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
The claims as presently amended disclose the following claim limitation “wherein the published code and the security scanned code is the same code”, however, it is unclear to the Examiner because the security scan appears to be already ran on the published code as required by the claims. Therefore, the security scanned code and the published code clearly cannot be the same code. Dependent claims are also rejected under the same rationale set forth above.
Claim Objections
Claims 1, 19, 21, and 28 are objected to because of the following informalities: The terminology “the published code” is not recited wherein the “code” is published, thus, the “published code” can be interpreted as any published code, and not necessary the initially scanned “code”. Appropriate correction is required.
Claims 19 and 21 are objected to because of the following informalities: Claims 19 and 21 recites “download published code” which should be recited as “download the published code”. Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-4, 15-16, 19-24, and 28-29 are rejected under 35 U.S.C. 103 as being unpatentable over Trabelsi et al. (Pub No. 2021/0240834) in view of Yang et al. (Pub No. 2021/0286895) in view of Gondi (US Patent No. 10,459,822).
Referring to the rejection of claim 1, Trabelsi et al. discloses a method comprising:
performing an initial scan of code; (See Trabelsi et al., para. 24-25, i.e., initiate a code scan using a scanner for performing regular expression- based scan of source code to identify hardcoded credentials within source code)
storing the published code in a version control repository system; (See Trabelsi et al., para. 24, i.e., the scan can take place at various points including when the source code is being uploaded to a source code repository, when the source code is received by the source code repository, when the source code is about to be published by the source code repository and/or when the source code is attempted to be downloaded by a third party)
However, Trabelsi et al. fails to explicitly disclose obtaining a command to download the published code from the version control system repository server, quarantining the published code and running a security scan on the published code in response to the obtaining the command to download the published code and while it is quarantined, wherein the published code and the security scanned code is the same code and based on an acceptable result of the security scan, releasing the quarantine and permitting download of the security scanned code.
Yang et al. discloses a method and system for quarantining source code to prevent confidential information exposure.
Yang et al. discloses obtaining a command to download the published code from the version control system repository server; (See Yang et al., para. 17 and 21-22, i.e., obtaining use commands such as Git push or pull command to download code from a source code management system disclosed as the version control system repository server)
Yang et al. discloses quarantining the published code and running a security scan on the published code in response to the obtaining the command to download the published code and while it is quarantined, wherein the published code and the security scanned code is the same code; (See Yang et al., para. 22-26 and 35, i.e., quarantining the code and running a security scan on the code in responsive to obtaining the command to download the code and while it is quarantined to prevent unpermitted users from Git cloning or downloading restricted quarantined codebases. Yang et al. further discloses in paragraph 35, i.e., a Git repository that uses a protocol called Git wherein before the code is downloaded from the Git repository as disclosed the code is put into a quarantined area. The Git actions are disclosed as a git push or pull command and in response to the git push command, the pushed code is stored in a quarantine area, which is a private and isolated area contained within the repository and initiates one or more security scans. In response to the security scan, will determine whether the code is defective, exceeds a threshold, contain sensitive information, etc., the program stores the pushed code in quarantine area, a private and isolated area contained within source code management system and initiates one or more security scans. Responsive to the scan completion, program 150 determines whether the code is defective (e.g., exceeds a defect threshold, code contains sensitive information, etc.). If program 150 determines that the code does not have defects, then program publishes (e.g., allows a standard push process) the code to public codebase 316, which represents publicly viewable code)
Yang et al. discloses and based on an acceptable result of the security scan, releasing the quarantine and permitting download of the security scanned code. (See Yang et al., para. 34, i.e., based on an acceptable result of the security scan, releasing the quarantine and permitting download of the code)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date the claimed invention was made to combine Trabelsi et al.’s method and system for identifying potentially vulnerable tokens within source code repositories using machine learning modified with Yang et al.’s system for quarantining source code to prevent confidential information exposure.
Motivation for such an implementation would enable quarantining source code to prevent confidential information exposure. (See Yang et al., Abstract )
Referring to the rejection of claims 2, 20, 22, and 29, (Trabelsi et al. modified by Yang et al.) discloses wherein: quarantining the published code and running the security scan on the published code while it is quarantined comprises placing the published code in a quarantine directory and running the security scan on the published code while it resides in the quarantine directory; and releasing the quarantine and permitting download of the security scanned code comprises moving the security scanned code to a separate directory and permitting download of the security scanned code from the separate directory. (See Yang et al., para. 24 and 34, i.e., quarantining the code and running the security scan on the code while it is quarantined comprises placing the code in a quarantine directory and running the security scan on the code while it resides in the quarantine directory and releasing the quarantine to permit the download of the code, wherein, the quarantined directory is disclosed as the sandbox directory that isolates untested code from the production or repository before actually storing it or downloading)
The rationale for combining Trabelsi et al. in view of Yang et al. is the same as claim 1.
Referring to the rejection of claims 3 and 23, (Trabelsi et al. modified by Yang et al.) discloses wherein running the security scan yields a vulnerability score further comprising: comparing the vulnerability score to a first threshold, wherein the acceptable result of the security scan is based on the comparison of the vulnerability score to the first threshold, (See Yang et al., para. 29, i.e., running the security scan yields a vulnerability score further comprising comparing the vulnerability score to a threshold, wherein the acceptable result of the security scan is based on the comparison of the vulnerability score to the threshold)
in response to the vulnerability score being unacceptable, comparing the vulnerability score to a second threshold, the second threshold being incrementally smaller than the first threshold, wherein the acceptable result of the security scan is based on the comparison of the vulnerability score to the second threshold. (See Yang et al., para. 35, i.e., responsive to the scan completion, program determines whether the code is defective, then program sends a notification to user1. If the latest code of user1 is stored within quarantine area when user2 (i.e., unpermitted user) initiates git pull and attempts to pull the latest code of user1, the code is pulled and returned from public codebase)
The rationale for combining Trabelsi et al. in view of Yang et al. is the same as claim 1.
Referring to the rejection of claims 4 and 24, (Trabelsi et al. modified by Yang et al.) discloses wherein the acceptable result of the security scan is based on the vulnerability score not exceeding the threshold, the threshold comprising a maximum permissible value of vulnerability score. (See Yang et al., para. 29 and 35, i.e., wherein the acceptable result of the security scan is based on the vulnerability score not exceeding the threshold comprising a maximum permissible value of vulnerability score)
The rationale for combining Trabelsi et al. in view of Yang et al. is the same as claim 1.
Referring to the rejection of claim 15, (Trabelsi et al. modified by Yang et al.) discloses further comprising, prior to obtaining the command to download the published code from the version control system repository server: (See Yang et al., para. 19)
obtaining a command to upload the published code to the version control system repository server; (See Yang et al., para. 17 and 21-22)
responsive to the obtained command to upload the code, placing the code in the quarantine directory and performing the security scan on the code while it resides in the quarantine directory; (See Yang et al., para. 23-26)
and based on an acceptable result of the security scan, moving the uploaded code to the separate directory. (See Yang et al., para. 34)
The rationale for combining Trabelsi et al. in view of Yang et al. is the same as claim 1.
Referring to the rejection of claim 16, (Trabelsi et al. modified by Yang et al.) discloses wherein the command to upload the code is received from a developer and the command to download the security scanned code is received from a user, different than the developer. (See Yang et al., para. 22-23)
The rationale for combining Trabelsi et al. in view of Yang et al. is the same as claim 1.
Referring to the rejection of claim 19, (Trabelsi et al. modified by Yang et al.) discloses a non-transitory computer readable medium comprising computer executable instructions which when executed by a computer cause the computer to perform a method comprising: (See Trabelsi et al., Fig. 4, i.e., non-transitory processor-readable storage medium, item 412)
performing an initial scan of code; (See Trabelsi et al., para. 24-25, i.e., initiate a code scan using a scanner for performing regular expression- based scan of source code to identify hardcoded credentials within source code)
storing the published code in a version control repository system; (See Trabelsi et al., para. 24, i.e., the scan can take place at various points including when the source code is being uploaded to a source code repository, when the source code is received by the source code repository, when the source code is about to be published by the source code repository and/or when the source code is attempted to be downloaded by a third party)
However, Trabelsi et al. fails to explicitly disclose obtaining a command to download the published code from the version control system repository server, quarantining the published code and running a security scan on the published code in response to the obtaining the command to download the published code and while it is quarantined, wherein the published code and the security scanned code is the same code and based on an acceptable result of the security scan, releasing the quarantine and permitting download of the security scanned code.
Yang et al. discloses a method and system for quarantining source code to prevent confidential information exposure.
Yang et al. discloses obtaining a command to download the published code from the version control system repository server; (See Yang et al., para. 17 and 21-22, i.e., obtaining use commands such as Git push or pull command to download code from a source code management system disclosed as the version control system repository server)
Yang et al. discloses quarantining the published code and running a security scan on the published code in response to the obtaining the command to download the published code and while it is quarantined, wherein the published code and the security scanned code is the same code; (See Yang et al., para. 22-26 and 35, i.e., quarantining the code and running a security scan on the code in responsive to obtaining the command to download the code and while it is quarantined to prevent unpermitted users from Git cloning or downloading restricted quarantined codebases. Yang et al. further discloses in paragraph 35, i.e., a Git repository that uses a protocol called Git wherein before the code is downloaded from the Git repository as disclosed the code is put into a quarantined area. The Git actions are disclosed as a git push or pull command and in response to the git push command, the pushed code is stored in a quarantine area, which is a private and isolated area contained within the repository and initiates one or more security scans. In response to the security scan, will determine whether the code is defective, exceeds a threshold, contain sensitive information, etc., the program stores the pushed code in quarantine area, a private and isolated area contained within source code management system and initiates one or more security scans. Responsive to the scan completion, program 150 determines whether the code is defective (e.g., exceeds a defect threshold, code contains sensitive information, etc.). If program 150 determines that the code does not have defects, then program publishes (e.g., allows a standard push process) the code to public codebase 316, which represents publicly viewable code)
Yang et al. discloses and based on an acceptable result of the security scan, releasing the quarantine and permitting download of the security scanned code. (See Yang et al., para. 34, i.e., based on an acceptable result of the security scan, releasing the quarantine and permitting download of the code)
The rationale for combining Trabelsi et al. in view of Yang et al. is the same as claim 1.
Referring to the rejection of claim 21, (Trabelsi et al. modified by Yang et al.) discloses a system comprising: (See Trabelsi et al., Fig. 4, i.e., system, item 400)
a memory; (See Trabelsi et al., Fig. 4, i.e., memory, item 412)
and at least one processor, coupled to the memory, and operative to: (See Trabelsi et al., Fig. 4, i.e., CPU, item 408)
perform an initial scan of code; (See Trabelsi et al., para. 24-25, i.e., initiate a code scan using a scanner for performing regular expression- based scan of source code to identify hardcoded credentials within source code)
store the published code in a version control repository system; (See Trabelsi et al., para. 24, i.e., the scan can take place at various points including when the source code is being uploaded to a source code repository, when the source code is received by the source code repository, when the source code is about to be published by the source code repository and/or when the source code is attempted to be downloaded by a third party)
However, Trabelsi et al. fails to explicitly disclose obtaining a command to download the published code from the version control system repository server, quarantining the published code and running a security scan on the published code in response to the obtaining the command to download the published code and while it is quarantined, wherein the published code and the security scanned code is the same code and based on an acceptable result of the security scan, releasing the quarantine and permitting download of the security scanned code.
Yang et al. discloses a method and system for quarantining source code to prevent confidential information exposure.
Yang et al. discloses obtain a command to download the published code from the version control system repository server; (See Yang et al., para. 17 and 21-22, i.e., obtaining use commands such as Git push or pull command to download code from a source code management system disclosed as the version control system repository server)
Yang et al. discloses quarantine the published code and running a security scan on the published code in response to the obtaining the command to download the published code and while it is quarantined, wherein the published code and the security scanned code is the same code; (See Yang et al., para. 22-26 and 35, i.e., quarantining the code and running a security scan on the code in responsive to obtaining the command to download the code and while it is quarantined to prevent unpermitted users from Git cloning or downloading restricted quarantined codebases. Yang et al. further discloses in paragraph 35, i.e., a Git repository that uses a protocol called Git wherein before the code is downloaded from the Git repository as disclosed the code is put into a quarantined area. The Git actions are disclosed as a git push or pull command and in response to the git push command, the pushed code is stored in a quarantine area, which is a private and isolated area contained within the repository and initiates one or more security scans. In response to the security scan, will determine whether the code is defective, exceeds a threshold, contain sensitive information, etc., the program stores the pushed code in quarantine area, a private and isolated area contained within source code management system and initiates one or more security scans. Responsive to the scan completion, program 150 determines whether the code is defective (e.g., exceeds a defect threshold, code contains sensitive information, etc.). If program 150 determines that the code does not have defects, then program publishes (e.g., allows a standard push process) the code to public codebase 316, which represents publicly viewable code)
Yang et al. discloses and based on an acceptable result of the security scan, release the quarantine and permit download of the security scanned code. (See Yang et al., para. 34, i.e., based on an acceptable result of the security scan, releasing the quarantine and permitting download of the code)
The rationale for combining Trabelsi et al. in view of Yang et al. is the same as claim 1.
Referring to the rejection of claim 28, (Trabelsi et al. modified by Yang et al.) discloses a system comprising: (See Trabelsi et al., Fig. 4, i.e., system, item 400)
performing an initial scan of code; (See Trabelsi et al., para. 24-25, i.e., initiate a code scan using a scanner for performing regular expression- based scan of source code to identify hardcoded credentials within source code)
storing the published code in a version control repository system; (See Trabelsi et al., para. 24, i.e., the scan can take place at various points including when the source code is being uploaded to a source code repository, when the source code is received by the source code repository, when the source code is about to be published by the source code repository and/or when the source code is attempted to be downloaded by a third party)
However, Trabelsi et al. fails to explicitly disclose obtaining a command to download the published code from the version control system repository server, quarantining the published code and running a security scan on the published code in response to the obtaining the command to download the published code and while it is quarantined, wherein the published code and the security scanned code is the same code and based on an acceptable result of the security scan, releasing the quarantine and permitting download of the security scanned code.
Yang et al. discloses a method and system for quarantining source code to prevent confidential information exposure.
Yang et al. discloses means for obtaining a command to download published code from the version control system repository server; (See Yang et al., para. 17 and 21-22, i.e., obtaining use commands such as Git push or pull command to download code from a source code management system disclosed as the version control system repository server)
Yang et al. discloses means for quarantining the published code and running a security scan on the published code in response to the obtaining the command to download the published code and while it is quarantined, wherein the published code and the security scanned code is the same code; (See Yang et al., para. 22-26 and 35, i.e., quarantining the code and running a security scan on the code in responsive to obtaining the command to download the code and while it is quarantined to prevent unpermitted users from Git cloning or downloading restricted quarantined codebases. Yang et al. further discloses in paragraph 35, i.e., a Git repository that uses a protocol called Git wherein before the code is downloaded from the Git repository as disclosed the code is put into a quarantined area. The Git actions are disclosed as a git push or pull command and in response to the git push command, the pushed code is stored in a quarantine area, which is a private and isolated area contained within the repository and initiates one or more security scans. In response to the security scan, will determine whether the code is defective, exceeds a threshold, contain sensitive information, etc., the program stores the pushed code in quarantine area, a private and isolated area contained within source code management system and initiates one or more security scans. Responsive to the scan completion, program 150 determines whether the code is defective (e.g., exceeds a defect threshold, code contains sensitive information, etc.). If program 150 determines that the code does not have defects, then program publishes (e.g., allows a standard push process) the code to public codebase 316, which represents publicly viewable code)
Yang et al. discloses and means for, based on an acceptable result of the security scan, releasing the quarantine and permitting download of the security scanned code. (See Yang et al., para. 34, i.e., based on an acceptable result of the security scan, releasing the quarantine and permitting download of the code)
The rationale for combining Trabelsi et al. in view of Yang et al. is the same as claim 1.
16. Claims 5-11, 17-18, and 25-27 are rejected under 35 U.S.C. 103 as being unpatentable over Trabelsi et al. (Pub No. 2021/0240834) in view of Yang et al. (Pub No. 2021/0286895) and in further view of Chan (Pub No. 2021/0176210).
The combination of Trabelsi et al. and Yang et al. discloses the invention as shown above, however, Trabelsi et al. and Yang et al. fails to explicitly disclose obtaining a second command to download second code from the version control system repository server; responsive to the obtained second command, placing the second code in the quarantine directory and running a security scan on the second code while it resides in the quarantine directory; and based on an unacceptable result of the security scan, refraining from moving the second code to the separate directory, and refusing download of the second code.
Chan discloses a quarantine system for cloud-based services.
Referring to the rejection of claims 5 and 25, (Trabelsi et al. and Yang et al. modified by Chan) discloses wherein the command to download the published code comprises a first command and the published code comprises first code, further comprising: obtaining a second command to download second code from the version control system repository server; (See Chan, para. 151 and 164)
responsive to the obtained second command, placing the second code in the quarantine directory and running a security scan on the second code while it resides in the quarantine directory; (See Chan, para. 164)
and based on an unacceptable result of the security scan, refraining from moving the second code to the separate directory, and refusing download of the second code. (See Chan, para. 175-176)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date the claimed invention was made to combine Trabelsi et al.’s method and system for identifying potentially vulnerable tokens within source code repositories using machine learning and Yang et al.’s system for quarantining source code to prevent confidential information exposure modified with Chan’s quarantine system for cloud-based services.
Motivation for such an implementation would enable a second command to download second code for comparing the vulnerability to the same threshold. (See Chan, para. 164)
Referring to the rejection of claims 6 and 26, (Trabelsi et al. and Yang et al. modified by Chan) discloses wherein running the security scan on the first and second code yields first and second vulnerability scores, further comprising comparing the first vulnerability score to a threshold and comparing the second vulnerability score to the threshold, (See Chan, para. 151 and 164)
wherein the acceptable result of the security scan on the first code is based on the comparison of the first vulnerability score to the threshold and the unacceptable result of the security scan on the second code is based on the comparison of the second vulnerability score to the threshold. (See Chan, para. 175-176)
The rationale for combining Trabelsi et al. and Yang et al. in view of Chan is the same as claim 5.
Referring to the rejection of claims 7 and 27, (Trabelsi et al. and Yang et al. modified by Chan) discloses wherein running the security scan on the first and second code yields first and second vulnerability scores, further comprising comparing the first vulnerability score to a first threshold and comparing the second vulnerability score to a second threshold, different than the first threshold, (See Chan, para. 164)
wherein the acceptable result of the security scan on the first code is based on the comparison of the first vulnerability score to the first threshold (See Chan, para. 164)
and the unacceptable result of the security scan on the second code is based on the comparison of the second vulnerability score to the second threshold. (See Chan, para. 175-176)
The rationale for combining Trabelsi et al. and Yang et al. in view of Chan is the same as claim 5.
Referring to the rejection of claim 8, (Trabelsi et al. and Yang et al. modified by Chan) discloses further comprising, based on the unacceptable result of the security scan: remediating at least one security issue with the second code; (See Chan, para. 140-142)
running a security scan on the remediated second code while it resides in the quarantine directory; and based on an acceptable result of the security scan on the remediated second code, moving the remediated second code to the separate directory and permitting download of the remediated second code from the separate directory. (See Chan, para. 140-142)
The rationale for combining Trabelsi et al. and Yang et al. in view of Chan is the same as claim 5.
Referring to the rejection of claim 9, (Trabelsi et al. and Yang et al. modified by Chan) discloses further comprising, based on the unacceptable result of the security scan on the second code, returning an error message to a provider of the command to download the second code. (See Chan., para. 66)
The rationale for combining Yang et al. and Gondi in view of Chan is the same as claim 5.
Referring to the rejection of claim 10, (Trabelsi et al. and Yang et al. modified by Chan) discloses wherein the error message includes at least one specific identified vulnerability, a Common Vulnerability Scoring System (CVSS) score, and an identification of specific lines of code that are vulnerable. (See Yang et al., para. 26, 29, and 31)
Referring to the rejection of claim 11, (Trabelsi et al. and Yang et al. modified by Chan) discloses wherein the error message further includes at least one link to documentation on how to resolve the at least one specific identified vulnerability. (See Yang et al., para. 29 and 31-32)
Referring to the rejection of claim 17, (Trabelsi et al. and Yang et al. modified by Chan) discloses wherein the command to download the published code comprises a first download command, the command to upload the code comprises a first upload command, and the code comprises first code, further comprising: (See Chan, para. 130-131 and 141)
obtaining a second upload command to upload second code to the version control system repository server; (See Chan, para. 151 and 164)
responsive to the obtained second upload command to upload the second code, placing the second code in the quarantine directory and running an intake security scan on the second code while it resides in the quarantine directory; (See Chan, para. 164)
based on an acceptable result of the intake security scan on the second code, moving the second code to the separate directory; after the acceptable result of the intake security scan on the second code, and the moving of the second code to the separate directory, (See Chan, para. 152-153)
obtaining a second download command to download the second code from the version control system repository server; (See Chan, para. 164)
responsive to the obtained second download command, placing the second code in the quarantine directory and running a download security scan on the second code while it resides in the quarantine directory; (See Chan, para. 164)
and based on an unacceptable result of the download security scan on the second code, refraining from moving the second code to the separate directory, and refusing download of the second code. (See Chan, para. 175-176)
The rationale for combining Yang et al. and Gondi in view of Chan is the same as claim 5.
Referring to the rejection of claim 18, (Trabelsi et al. and Yang et al. modified by Chan) discloses wherein the download security scan on the second code takes into account new vulnerability information not available for the intake security scan on the second code. (See Chan, para. 135)
The rationale for combining Trabelsi et al. and Yang et al. in view of Chan is the same as claim 5.
17. Claims 12-14 are rejected under 35 U.S.C. 103 as being unpatentable over Trabelsi et al. (Pub No. 2021/0240834) in view of Yang et al. (Pub No. 2021/0286895) and in further view of Singh et al. (Pub No. 2024/0144136).
The combination of Trabelsi et al. and Yang et al. discloses the invention as shown above, however, Trabelsi et al. and Yang et al. fails to explicitly disclose wherein running the security scan comprises employing a script to carry out at least software composition analysis (SCA).
Singh et al. discloses a system and method for continuous improvement of a cyber security rating of a firm.
Referring to the rejection of claim 12, (Trabelsi et al. and Yang et al. modified by Singh et al.) discloses wherein running the security scan comprises employing a script to carry out at least software composition analysis (SCA). (See Singh et al., para. 20-22)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date the claimed invention was made to combine Trabelsi et al.’s method and system for identifying potentially vulnerable tokens within source code repositories using machine learning and Yang et al.’s system for quarantining source code to prevent confidential information exposure modified with Singh et al.’s system and method for continuous improvement of a cyber security rating of a firm.
Motivation for such an implementation would enable scanning code using an automated process that identifies the open source of vulnerabilities located within the codebase. (See Singh et al., para. 20)
Referring to the rejection of claim 13, (Trabelsi et al. and Yang et al. modified by Singh et al.) discloses wherein running the security scan comprises employing a script to carry out at least static application security testing (SAST). (See Singh et al., para. 20-22 and Yang et al., para. 27)
The rationale for combining Trabelsi et al. and Yang et al. in view of Singh et al. is the same as claim 12.
Referring to the rejection of claim 14, (Trabelsi et al. and Yang et al. modified by Singh et al.) discloses wherein running the security scan comprises employing a script to carry out at least dynamic application security testing (DAST). (See Singh et al., para. 20-22 and Yang et al., para. 27)
The rationale for combining Trabelsi et al. and Yang et al. in view of Singh et al. is the same as claim 12.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY D FIELDS whose telephone number is (571)272-3871. The examiner can normally be reached IFP M-F 8am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached at (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/COURTNEY D FIELDS/Examiner, Art Unit 2436 December 11, 2025
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436