Prosecution Insights
Last updated: April 18, 2026
Application No. 18/385,903

Locating Potentially-Exploitable Software Dependencies

Non-Final OA §103
Filed
Oct 31, 2023
Examiner
PERUNGAVOOR, VENKATANARAY
Art Unit
2492
Tech Center
2400 — Computer Networks
Assignee
Codenotary Inc.
OA Round
3 (Non-Final)
88%
Grant Probability
Favorable
3-4
OA Rounds
2y 10m
To Grant
91%
With Interview

Examiner Intelligence

Grants 88% — above average
88%
Career Allow Rate
877 granted / 999 resolved
+29.8% vs TC avg
Minimal +4% lift
Without
With
+3.5%
Interview Lift
resolved cases with interview
Typical timeline
2y 10m
Avg Prosecution
43 currently pending
Career history
1042
Total Applications
across all art units

Statute-Specific Performance

§101
13.6%
-26.4% vs TC avg
§103
43.7%
+3.7% vs TC avg
§102
16.7%
-23.3% vs TC avg
§112
11.9%
-28.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 999 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION This office action is in response to the application filed on or reply to the remarks of 10/29/2025. The instant application has claims 1-20 pending. The system for detecting vulnerabilities in dependencies for SBOM. There a total of 20 claims. Response to Arguments Applicant's arguments filed 10/296/2025 have been fully considered but they are not persuasive. The applicant argues that scanning itself and reporting dependcies is not taught by Sukhomlinov. The examiner disagrees. Sukhomlinov discloses the scanning of log files which would include the scanning component actions, and by examining these files it is essentially scanning itself see Par. 0025-0026. And further the dependency is determined for detecting vulnerabilities see Par. 0025 & Par. 0022. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under pre-AIA 35 U.S.C. 103(a) are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 9-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over US Patent Pub 2025/0147755 to Muenzel in view of US Patent Pub 2018/0189497 to Sukhomlinov. Regarding claim 91. Muenzel discloses A computer system for locating potentially-exploitable software dependencies, comprising: and a computer-implemented SBOM server coupled via a computer network to the one or more computers, wherein the SBOM server is programmed to receive dynamic SBOM data from the one or more SBOM-reporting software applications and store said dynamic SBOM data in a computer-implemented dependency database coupled to the SBOM server(Fig. 1 item 127 & Par. 004 & Par. 0041-0042, the dependency of application is tracked and stored). Muezel does not disclose one or more computers comprising one or more SBOM-reporting software applications, wherein an SBOM-reporting software application is programmed to generate dynamic SBOM data for itself and report it In the same field of endeavor as the claimed invention, Sukhomlinov discloses one or more computers comprising one or more SBOM-reporting software applications, wherein an SBOM-reporting software application is programmed to generate dynamic SBOM data for itself and report it(Abstract & Fig. 2A item 21-23,29 & Fig. 5 item 65 & Par. 0025-0026, the dependencies database stores the dependencies and report the finding based on comparison & Par. 0025-0026 & Par. 0022, the scanning of log files which would include the scanning component actions). It would have been obvious to one of ordinary skill in the art before the effective filing date of claimed invention to modify Muezel invention to incorporate SBOM-reporting software applications, wherein an SBOM-reporting software application is programmed to generate dynamic SBOM data for itself and report it for the advantage of detected vulnerabilities based on known database as taught in Sukhomlinov see Par. 0029. Regarding claim 10. Sukhomlinov discloses The computer system for locating exploitable software dependencies of claim 9, wherein the one or more SBOM-reporting software applications self-report their dynamic SBOM data to the SBOM server(Abstract & Fig. 2A item 21-23,29 & Fig. 5 item 65 & Par. 0025-0026 & Fig. 5 item 66, 67, 70). Regarding claim 11. Sukhomlinov discloses The computer system for locating potentially-exploitable software dependencies of claim 10, wherein the one or more SBOM-reporting software applications self- report their dynamic SBOM data to the SBOM server on a configurable schedule. Regarding claim 12. Sukhomlinov discloses The computer system for locating potentially-exploitable software dependencies of claim 10, wherein the one or more SBOM-reporting software applications are configurable to self-report their dynamic SBOM data to the SBOM server upon occurrence of an event(Abstract & Fig. 2A item 21-23,29 & Fig. 5 item 65 & Par. 0025-0026 & Fig. 5 item 66, 67, 70).. Regarding claim 13. Sukhomlinov discloses The computer system for locating potentially-exploitable software dependencies of claim 9, wherein the SBOM server is further programmed to request dynamic SBOM data from the one or more SBOM-reporting software applications(Abstract & Fig. 2A item 21-23,29 & Fig. 5 item 65 & Par. 0025-0026 & Fig. 5 item 66, 67, 70).. Regarding claim 14. Sukhomlinov discloses The computer system for locating potentially-exploitable software dependencies of claim 9, further comprising a computer-implemented SBOM collector coupled to the SBOM server, said SBOM collector being programmed to collect dynamic SBOM data from the one or more SBOM-reporting software applications and provide it to the SBOM server(Abstract & Fig. 2A item 21-23,29 & Fig. 5 item 65 & Par. 0025-0026 & Fig. 5 item 66, 67, 70).. Regarding claim 15. Sukhomlinov discloses The computer system for locating potentially-exploitable software dependencies of claim 9, wherein the dynamic SBOM data reported by a SBOM-reporting software application comprises dependency identification data for all accessible and currently- loaded dependencies of the SBOM-reporting software application(Abstract & Fig. 2A item 21-23,29 & Fig. 5 item 65 & Par. 0025-0026 & Fig. 5 item 66, 67, 70). Regarding claim 16. Muenzel discloses The computer system for locating potentially-exploitable software dependencies of claim 9, wherein the SBOM server is further programmed to provide a user interface that enables filtered searches of the dependency database, dependency tracking, alerts, and reporting to users(Par. 0024-0025, the vulnerability detector for providing alerts). . Regarding claim 17. Muenzel discloses The computer system for locating potentially-exploitable software dependencies of claim 9, wherein the SBOM server is further programmed to report an alert when dynamic SBOM data for a SBOM-reporting software application reveals the presence of a potentially-exploitable software dependency(Par. 0024-0026, the vulnerability detector for providing alerts). Regarding claim 18. Muenzel discloses The computer system for locating potentially-exploitable software dependencies of claim 9, wherein a SBOM-reporting software application comprises an SBOM module that is programed to generate and output dynamic SBOM data for the software application, wherein the dynamic SBOM data reported by the SBOM module identifies the SBOM module as a loaded dependency of the SBOM-reporting software application(Par. 0018, the application package’s dependencies is detected). Regarding claim 19. Muenzel discloses The computer system for locating potentially-exploitable software dependencies of claim 9, wherein the one or more SBOM-reporting applications comprise a first SBOM-reporting application comprising a first SBOM module, said first SBOM-reporting application and first SBOM module written in a first programming language, and a second SBOM- reporting application comprising a second SBOM module, said second SBOM-reporting application and second SBOM module written in a different second programming language(par. 0023, the different version of package). Regarding claim 20. Muenzel discloses The computer system for locating potentially-exploitable software dependencies of claim 19, wherein the first SBOM module and the second SBOM module are programmed listen for an SBOM request on the same communications port number(Par. 0017, the application attributes are analyzed). Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Venkat Perungavoor whose telephone number is (571)272-7213. The examiner can normally be reached 9-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on 571-272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /VENKAT PERUNGAVOOR/Primary Examiner, Art Unit 2492 Email: venkatanarayan.perungavoor@uspto.gov 1 The examiner notes that predicting vulnerabilities through the dependencies in software components is commonly known in the art see 2. Vulnerability Prediction Model & Fig. 4 & Fig. 5, attached article titled: Predicting Vulnerable Software Components with Dependency Graphs to Nguyen.
Read full office action

Prosecution Timeline

Oct 31, 2023
Application Filed
Jul 28, 2025
Non-Final Rejection — §103
Oct 29, 2025
Response Filed
Dec 15, 2025
Final Rejection — §103
Feb 17, 2026
Response after Non-Final Action
Mar 18, 2026
Request for Continued Examination
Apr 01, 2026
Response after Non-Final Action
Apr 10, 2026
Non-Final Rejection — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12602462
ARTIFICIAL-INTELLIGENCE-ENABLED AUTHENTICATION BASED ON USER METADATA
2y 5m to grant Granted Apr 14, 2026
Patent 12596820
Secure Cloaking of Data
2y 5m to grant Granted Apr 07, 2026
Patent 12596828
METHOD AND SYSTEM FOR SOVEREIGN DATA STORAGE
2y 5m to grant Granted Apr 07, 2026
Patent 12598191
Secure Content Management Through Authentication
2y 5m to grant Granted Apr 07, 2026
Patent 12592922
SYSTEMS AND METHODS OF DEVICE AUTHENTICATION INCLUDING FEATURES OF CIRCUIT TESTING AND VERIFICATION IN CONNECTION WITH KNOWN BOARD INFORMATION
2y 5m to grant Granted Mar 31, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

3-4
Expected OA Rounds
88%
Grant Probability
91%
With Interview (+3.5%)
2y 10m
Median Time to Grant
High
PTA Risk
Based on 999 resolved cases by this examiner. Grant probability derived from career allow rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month