Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This office action is in response to the application filed on or reply to the remarks of 10/29/2025. The instant application has claims 1-20 pending. The system for detecting vulnerabilities in dependencies for SBOM. There a total of 20 claims.
Response to Arguments
Applicant's arguments filed 10/296/2025 have been fully considered but they are not persuasive.
The applicant argues that scanning itself and reporting dependcies is not taught by Sukhomlinov.
The examiner disagrees. Sukhomlinov discloses the scanning of log files which would include the scanning component actions, and by examining these files it is essentially scanning itself see Par. 0025-0026. And further the dependency is determined for detecting vulnerabilities see Par. 0025 & Par. 0022.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under pre-AIA 35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 9-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over US Patent Pub 2025/0147755 to Muenzel in view of US Patent Pub 2018/0189497 to Sukhomlinov.
Regarding claim 91. Muenzel discloses A computer system for locating potentially-exploitable software dependencies, comprising: and a computer-implemented SBOM server coupled via a computer network to the one or more computers, wherein the SBOM server is programmed to receive dynamic SBOM data from the one or more SBOM-reporting software applications and store said dynamic SBOM data in a computer-implemented dependency database coupled to the SBOM server(Fig. 1 item 127 & Par. 004 & Par. 0041-0042, the dependency of application is tracked and stored).
Muezel does not disclose one or more computers comprising one or more SBOM-reporting software applications, wherein an SBOM-reporting software application is programmed to generate dynamic SBOM data for itself and report it
In the same field of endeavor as the claimed invention, Sukhomlinov discloses one or more computers comprising one or more SBOM-reporting software applications, wherein an SBOM-reporting software application is programmed to generate dynamic SBOM data for itself and report it(Abstract & Fig. 2A item 21-23,29 & Fig. 5 item 65 & Par. 0025-0026, the dependencies database stores the dependencies and report the finding based on comparison & Par. 0025-0026 & Par. 0022, the scanning of log files which would include the scanning component actions).
It would have been obvious to one of ordinary skill in the art before the effective filing date of claimed invention to modify Muezel invention to incorporate SBOM-reporting software applications, wherein an SBOM-reporting software application is programmed to generate dynamic SBOM data for itself and report it for the advantage of detected vulnerabilities based on known database as taught in Sukhomlinov see Par. 0029.
Regarding claim 10. Sukhomlinov discloses The computer system for locating exploitable software dependencies of claim 9, wherein the one or more SBOM-reporting software applications self-report their dynamic SBOM data to the SBOM server(Abstract & Fig. 2A item 21-23,29 & Fig. 5 item 65 & Par. 0025-0026 & Fig. 5 item 66, 67, 70).
Regarding claim 11. Sukhomlinov discloses The computer system for locating potentially-exploitable software dependencies of claim 10, wherein the one or more SBOM-reporting software applications self- report their dynamic SBOM data to the SBOM server on a configurable schedule.
Regarding claim 12. Sukhomlinov discloses The computer system for locating potentially-exploitable software dependencies of claim 10, wherein the one or more SBOM-reporting software applications are configurable to self-report their dynamic SBOM data to the SBOM server upon occurrence of an event(Abstract & Fig. 2A item 21-23,29 & Fig. 5 item 65 & Par. 0025-0026 & Fig. 5 item 66, 67, 70)..
Regarding claim 13. Sukhomlinov discloses The computer system for locating potentially-exploitable software dependencies of claim 9, wherein the SBOM server is further programmed to request dynamic SBOM data from the one or more SBOM-reporting software applications(Abstract & Fig. 2A item 21-23,29 & Fig. 5 item 65 & Par. 0025-0026 & Fig. 5 item 66, 67, 70)..
Regarding claim 14. Sukhomlinov discloses The computer system for locating potentially-exploitable software dependencies of claim 9, further comprising a computer-implemented SBOM collector coupled to the SBOM server, said SBOM collector being programmed to collect dynamic SBOM data from the one or more SBOM-reporting software applications and provide it to the SBOM server(Abstract & Fig. 2A item 21-23,29 & Fig. 5 item 65 & Par. 0025-0026 & Fig. 5 item 66, 67, 70)..
Regarding claim 15. Sukhomlinov discloses The computer system for locating potentially-exploitable software dependencies of claim 9, wherein the dynamic SBOM data reported by a SBOM-reporting software application comprises dependency identification data for all accessible and currently- loaded dependencies of the SBOM-reporting software application(Abstract & Fig. 2A item 21-23,29 & Fig. 5 item 65 & Par. 0025-0026 & Fig. 5 item 66, 67, 70).
Regarding claim 16. Muenzel discloses The computer system for locating potentially-exploitable software dependencies of claim 9, wherein the SBOM server is further programmed to provide a user interface that enables filtered searches of the dependency database, dependency tracking, alerts, and reporting to users(Par. 0024-0025, the vulnerability detector for providing alerts). .
Regarding claim 17. Muenzel discloses The computer system for locating potentially-exploitable software dependencies of claim 9, wherein the SBOM server is further programmed to report an alert when dynamic SBOM data for a SBOM-reporting software application reveals the presence of a potentially-exploitable software dependency(Par. 0024-0026, the vulnerability detector for providing alerts).
Regarding claim 18. Muenzel discloses The computer system for locating potentially-exploitable software dependencies of claim 9, wherein a SBOM-reporting software application comprises an SBOM module that is programed to generate and output dynamic SBOM data for the software application, wherein the dynamic SBOM data reported by the SBOM module identifies the SBOM module as a loaded dependency of the SBOM-reporting software application(Par. 0018, the application package’s dependencies is detected).
Regarding claim 19. Muenzel discloses The computer system for locating potentially-exploitable software dependencies of claim 9, wherein the one or more SBOM-reporting applications comprise a first SBOM-reporting application comprising a first SBOM module, said first SBOM-reporting application and first SBOM module written in a first programming language, and a second SBOM- reporting application comprising a second SBOM module, said second SBOM-reporting application and second SBOM module written in a different second programming language(par. 0023, the different version of package).
Regarding claim 20. Muenzel discloses The computer system for locating potentially-exploitable software dependencies of claim 19, wherein the first SBOM module and the second SBOM module are programmed listen for an SBOM request on the same communications port number(Par. 0017, the application attributes are analyzed).
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Venkat Perungavoor whose telephone number is (571)272-7213. The examiner can normally be reached 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on 571-272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/VENKAT PERUNGAVOOR/Primary Examiner, Art Unit 2492 Email: venkatanarayan.perungavoor@uspto.gov
1 The examiner notes that predicting vulnerabilities through the dependencies in software components is commonly known in the art see 2. Vulnerability Prediction Model & Fig. 4 & Fig. 5, attached article titled: Predicting Vulnerable Software Components with Dependency Graphs to Nguyen.