DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 4/24/2026 has been entered.
Status of Claims
Claims 1-20 are pending.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-2, 6-7, 11-13, 17-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Anwar et al (PGPUB 2022/0083667), and further in view of Cheng et al (US 12,542,797).
Regarding Claims 1 and 12:
Anwar teaches a method for operating a telemetry interception and analysis platform (TIAP) system and a computer program product comprising at least one non-transitory computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising an executable portion configured to ([abstract] software composition analysis system can obtain, from a vulnerability database, security vulnerability data about a set of known security vulnerabilities; the software composition analysis system can identify an application for analysis; the application can call a common library shared among a plurality of applications; the software composition analysis system can identify, based upon the set of known security vulnerabilities, a security vulnerability in the common library; the software composition analysis system can remediate the security vulnerability in the common library; [0007] implemented as a computer-controlled apparatus, a computer process, a computing system, or as an article of manufacture such as a computer-readable storage medium):
generate, on a server comprising a database and a processor ([0029]-[0030] software composition analysis system 124 can be implemented as a computing system or device, such as, for example, a desktop, laptop, or tablet; in particular, the software composition analysis system 124 can be configured the same as or similar to the computer system 400; the software composition analysis system 124 can be implemented as part of the application development systems 102; [0049] computer system 400 includes a processing unit 402; [0024] library database 112 can be external to or part of the application development systems 102), a software bill of materials (SBOM) used by an application being executed on a customer computer system, the SBOM comprising a plurality of components ([0030]-[0031] software composition analysis system 124 includes, in addition to the vulnerability identification module 132 and the API(s) 140, a dependency tree module 142, a vulnerability effectiveness module 144, and a vulnerability remediation module 146; dependency tree module 142 can analyze the application 108 to determine the dependencies among the software packages 106/110 utilized by the application 108; the dependencies can be direct or transitive; a direct dependency is an open source package (e.g., a common library software package 110) that is explicitly used by the developer 104; a transitive dependency is an open source package called by another open source package (e.g., one common library software package 110 that calls another common library software package 110) and is not explicitly used by the developer 104; the dependency tree module 142 can utilize this dependency information to create an application dependency tree);
execute, on the server, a TIAP portal comprising a common vulnerabilities and exposures (CVE) service operative to receive CVEs from at least one CVE source ([0026]-[0028] security vulnerability alerts 122 can be generated by the software composition analysis system 124 based upon a known security vulnerabilities data feed 126 received from a security vulnerability database 128 that maintains security vulnerability data 130 about known security vulnerabilities; security vulnerability database 128 obtains and maintains the security vulnerability data 130; in some embodiments, the security vulnerability database 128 includes the Common Vulnerabilities and Exposures (“CVE”) dictionary (also referred to as a “list”) or otherwise provides access thereto; the CVE dictionary provides definitions for publicly disclosed security vulnerabilities and exposures; the vulnerability identification module 132 can call one or more application programming interfaces (“APIs”) 140 that are exposed by the security vulnerability database 128 to subscribe to or otherwise obtain the known security vulnerabilities data feed 126);
receive, at the TIAP portal, vulnerabilities from the at least one CVE source ([0028] the vulnerability identification module 132 can call one or more application programming interfaces (“APIs”) 140 that are exposed by the security vulnerability database 128 to subscribe to or otherwise obtain the known security vulnerabilities data feed 126);
identify, at the TIAP portal, vulnerable components within the SBOM ([0032] vulnerability effectiveness module 144 can analyze the known security vulnerabilities data feed 126 and the composition of the application 108 to determine which security vulnerabilities are effect and which security vulnerabilities are ineffective; an effective security vulnerability includes vulnerable code that is executed by the application 108; an ineffective security vulnerability includes vulnerable code that is not executed by the application 108; this is referred to herein as the effectiveness of the vulnerability; the vulnerability effectiveness module 144 can share this effectiveness information with the dependency tree module 142); and
remediate, at the TIAP portal, the vulnerable components with fixed versions of the vulnerable components to produce an updated build of the application ([0034] the software composition analysis system 124 can execute the vulnerability remediation module 146 to remediate known security vulnerabilities in the application 108; in some embodiments, the vulnerability remediation module 146 can be configured to prioritize vulnerability remediation within the common library software packages 110 over the developer software packages 106; in particular, the software composition analysis system 124 can execute the vulnerability remediation module 146 to fix all security vulnerabilities within the common library software packages 110 to eliminate the security vulnerability alerts 122 in the identified application 108, and potentially in one or more other applications 108 that call the common library software packages 110; for common libraries, all direct and transitive dependencies should be upgraded to non-vulnerable versions).
Anwar does not explicitly teach identifying vulnerable components within the SBOM that were used by the application during a runtime of the application;
ranking each of the vulnerable components based on its usage during the runtime of the application; and
remediating in accordance with the ranking.
However, Cheng teaches the concept of identifying vulnerable components within an SBOM that were used by an application during a runtime of the application ([abstract] software components that are affected by a vulnerability are identified using information from a vulnerability alert; an overall risk score of the vulnerability is determined based at least on whether the vulnerability can be triggered, how the vulnerability affects the connected vehicle when the vulnerability is triggered, and an intrinsic risk posed by the vulnerability; remediation of the vulnerability is prioritized based at least on the overall risk score of the vulnerability; [col 3 line 36-61] software bill of materials collection process 251 includes identifying and listing the firmware (FIG. 2, 201), source code (FIG. 2, 202), and other software components of a connected vehicle (FIG. 2, 203); [col 6 line 7-18] impact analysis process 223 includes collecting metadata of software components (FIG. 6, 241) to determine if the vulnerability can be triggered (FIG. 6, 242); [col 6 line 19-32] metadata collection step (FIG. 6, 241) may include obtaining executable metadata, system metadata, and I/O interface metadata; executable metadata may be used to determine if a vulnerable function or library is loaded during system startup or used in a running process);
ranking each of the vulnerable components based on its usage during the runtime of the application ([col 6 line 43-59] collected metadata may be consulted to determine if the vulnerability can be triggered; the collected metadata may be consulted to determine if the vulnerability affects a particular component or configurable option that is utilized during operation of the connected vehicle; [col 7 line 52-col 8 line 8] overall risk score of the vulnerability may be determined based at least on the threat score generated from the threat analysis process 222, the impact score generated from the impact analysis process 223, and the intrinsic score generated from the intrinsic risk analysis process 224 (FIG. 6, 248); [col 8 line 9-15] vulnerabilities may be prioritized based on their overall risk scores; the higher the overall risk score, the higher the priority to remediate the vulnerability); and
remediating in accordance with the ranking ([col 8 line 9-15] the higher the overall risk score, the higher the priority to remediate the vulnerability; remediating the vulnerability may include updating or replacing the vulnerable software component, for example).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the ranked vulnerability priority teachings of Cheng with the vulnerability remediation system of Anwar in order to identify the most serious vulnerabilities potentially affecting a particular system to focus effort and cost on remediating these most serious vulnerabilities first, with the option of correcting minor issues and bugs later, thereby preventing widespread exploitation of the most dangerous and damaging vulnerabilities, resulting in an improvement to the security environment.
Regarding Claims 2 and 13:
Anwar in view of Cheng teaches the method of claim 1 and the computer program product of claim 12. In addition, Anwar teaches wherein the computer-readable program code portions comprise the executable portion configured to:
identify, at the TIAP portal, the fixed versions for the vulnerable components ([0034] the software composition analysis system 124 can provide direction to the developer 104 regarding to which package version the vulnerable package should be upgraded).
Regarding Claims 6 and 17:
Anwar in view of Cheng teaches the method of claim 1 and the computer program product of claim 12. In addition, Anwar teaches wherein the plurality of components included in the SBOM comprises components that are not executed by the application and components that are executed by the application ([0031] dependency tree module 142 can analyze the application 108 to determine the dependencies among the software packages 106/110 utilized by the application 108; the dependencies can be direct or transitive; a direct dependency is an open source package (e.g., a common library software package 110) that is explicitly used by the developer 104; a transitive dependency is an open source package called by another open source package (e.g., one common library software package 110 that calls another common library software package 110) and is not explicitly used by the developer 104; [0032] vulnerability effectiveness module 144 can analyze the known security vulnerabilities data feed 126 and the composition of the application 108 to determine which security vulnerabilities are effect and which security vulnerabilities are ineffective; an effective security vulnerability includes vulnerable code that is executed by the application 108; an ineffective security vulnerability includes vulnerable code that is not executed by the application 108; this is referred to herein as the effectiveness of the vulnerability; the vulnerability effectiveness module 144 can share this effectiveness information with the dependency tree module 142).
Regarding Claim 7:
Anwar teaches a telemetry interception and analysis platform (TIAP) system ([abstract] software composition analysis system can obtain, from a vulnerability database, security vulnerability data about a set of known security vulnerabilities; the software composition analysis system can identify an application for analysis), comprising:
a server comprising a database and a hardware processor to run a TIAP portal comprising an event service operative to receive telemetry events from a TIAP runtime being executed on a customer computer system in conjunction with an application being executed on the customer computer system ([0029]-[0030] software composition analysis system 124 can be implemented as a computing system or device, such as, for example, a desktop, laptop, or tablet; in particular, the software composition analysis system 124 can be configured the same as or similar to the computer system 400; the software composition analysis system 124 can be implemented as part of the application development systems 102; [0049] computer system 400 includes a processing unit 402; [0024] library database 112 can be external to or part of the application development systems 102),
wherein the TIAP portal comprises a common vulnerability and exposure (CVE) service operative to receive a plurality of CVEs, wherein the plurality of CVEs are stored in the database ([0026]-[0028] security vulnerability alerts 122 can be generated by the software composition analysis system 124 based upon a known security vulnerabilities data feed 126 received from a security vulnerability database 128 that maintains security vulnerability data 130 about known security vulnerabilities; security vulnerability database 128 obtains and maintains the security vulnerability data 130; in some embodiments, the security vulnerability database 128 includes the Common Vulnerabilities and Exposures (“CVE”) dictionary (also referred to as a “list”) or otherwise provides access thereto; the CVE dictionary provides definitions for publicly disclosed security vulnerabilities and exposures; the vulnerability identification module 132 can call one or more application programming interfaces (“APIs”) 140 that are exposed by the security vulnerability database 128 to subscribe to or otherwise obtain the known security vulnerabilities data feed 126), and
wherein the TIAP portal comprises a software bill of materials (SBOM) service operable to:
generate a SBOM used by the application being executed on the customer computer system, the SBOM comprising a plurality of components ([0030]-[0031] software composition analysis system 124 includes, in addition to the vulnerability identification module 132 and the API(s) 140, a dependency tree module 142, a vulnerability effectiveness module 144, and a vulnerability remediation module 146; dependency tree module 142 can analyze the application 108 to determine the dependencies among the software packages 106/110 utilized by the application 108; the dependencies can be direct or transitive; a direct dependency is an open source package (e.g., a common library software package 110) that is explicitly used by the developer 104; a transitive dependency is an open source package called by another open source package (e.g., one common library software package 110 that calls another common library software package 110) and is not explicitly used by the developer 104; the dependency tree module 142 can utilize this dependency information to create an application dependency tree); and
identify at least one component that is associated with one or more vulnerabilities ([0032] vulnerability effectiveness module 144 can analyze the known security vulnerabilities data feed 126 and the composition of the application 108 to determine which security vulnerabilities are effect and which security vulnerabilities are ineffective; an effective security vulnerability includes vulnerable code that is executed by the application 108; an ineffective security vulnerability includes vulnerable code that is not executed by the application 108; this is referred to herein as the effectiveness of the vulnerability; the vulnerability effectiveness module 144 can share this effectiveness information with the dependency tree module 142); and
wherein the TIAP portal comprises a remediation service operable to:
identify vulnerable components within the SBOM ([0034] the software composition analysis system 124 can execute the vulnerability remediation module 146 to remediate known security vulnerabilities in the application 108; in some embodiments, the vulnerability remediation module 146 can be configured to prioritize vulnerability remediation within the common library software packages 110 over the developer software packages 106; in particular, the software composition analysis system 124 can execute the vulnerability remediation module 146 to fix all security vulnerabilities within the common library software packages 110 to eliminate the security vulnerability alerts 122 in the identified application 108, and potentially in one or more other applications 108 that call the common library software packages 110; for common libraries, all direct and transitive dependencies should be upgraded to non-vulnerable versions; [0034] the software composition analysis system 124 can provide direction to the developer 104 regarding to which package version the vulnerable package should be upgraded); and
remediate the vulnerable components with fixed versions of the vulnerable components to produce an updated build of the application ([0034] the software composition analysis system 124 can execute the vulnerability remediation module 146 to remediate known security vulnerabilities in the application 108; in some embodiments, the vulnerability remediation module 146 can be configured to prioritize vulnerability remediation within the common library software packages 110 over the developer software packages 106; in particular, the software composition analysis system 124 can execute the vulnerability remediation module 146 to fix all security vulnerabilities within the common library software packages 110 to eliminate the security vulnerability alerts 122 in the identified application 108, and potentially in one or more other applications 108 that call the common library software packages 110; for common libraries, all direct and transitive dependencies should be upgraded to non-vulnerable versions).
Anwar does not explicitly teach identify[ing] vulnerable components within the SBOM that were used by the application during a runtime of the application;
rank[ing] each of the vulnerable components based on its usage during the runtime of the application; and
remediat[ing] in accordance with the ranking.
However, Cheng teaches the concept of identify[ing] vulnerable components within an SBOM that were used by an application during a runtime of the application ([abstract] software components that are affected by a vulnerability are identified using information from a vulnerability alert; an overall risk score of the vulnerability is determined based at least on whether the vulnerability can be triggered, how the vulnerability affects the connected vehicle when the vulnerability is triggered, and an intrinsic risk posed by the vulnerability; remediation of the vulnerability is prioritized based at least on the overall risk score of the vulnerability; [col 3 line 36-61] software bill of materials collection process 251 includes identifying and listing the firmware (FIG. 2, 201), source code (FIG. 2, 202), and other software components of a connected vehicle (FIG. 2, 203); [col 6 line 7-18] impact analysis process 223 includes collecting metadata of software components (FIG. 6, 241) to determine if the vulnerability can be triggered (FIG. 6, 242); [col 6 line 19-32] metadata collection step (FIG. 6, 241) may include obtaining executable metadata, system metadata, and I/O interface metadata; executable metadata may be used to determine if a vulnerable function or library is loaded during system startup or used in a running process);
rank[ing] each of the vulnerable components based on its usage during the runtime of the application ([col 6 line 43-59] collected metadata may be consulted to determine if the vulnerability can be triggered; the collected metadata may be consulted to determine if the vulnerability affects a particular component or configurable option that is utilized during operation of the connected vehicle; [col 7 line 52-col 8 line 8] overall risk score of the vulnerability may be determined based at least on the threat score generated from the threat analysis process 222, the impact score generated from the impact analysis process 223, and the intrinsic score generated from the intrinsic risk analysis process 224 (FIG. 6, 248); [col 8 line 9-15] vulnerabilities may be prioritized based on their overall risk scores; the higher the overall risk score, the higher the priority to remediate the vulnerability); and
remediat[ing] in accordance with the ranking ([col 8 line 9-15] the higher the overall risk score, the higher the priority to remediate the vulnerability; remediating the vulnerability may include updating or replacing the vulnerable software component, for example).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the ranked vulnerability priority teachings of Cheng with the vulnerability remediation system of Anwar in order to identify the most serious vulnerabilities potentially affecting a particular system to focus effort and cost on remediating these most serious vulnerabilities first, with the option of correcting minor issues and bugs later, thereby preventing widespread exploitation of the most dangerous and damaging vulnerabilities, resulting in an improvement to the security environment.
Regarding Claim 11:
Anwar in view of Cheng teaches the TIAP system of claim 7. In addition, Anwar teaches wherein the plurality of components included in the SBOM comprises components that are not executed by the application and components that are executed by the application ([0031] dependency tree module 142 can analyze the application 108 to determine the dependencies among the software packages 106/110 utilized by the application 108; the dependencies can be direct or transitive; a direct dependency is an open source package (e.g., a common library software package 110) that is explicitly used by the developer 104; a transitive dependency is an open source package called by another open source package (e.g., one common library software package 110 that calls another common library software package 110) and is not explicitly used by the developer 104; [0032] vulnerability effectiveness module 144 can analyze the known security vulnerabilities data feed 126 and the composition of the application 108 to determine which security vulnerabilities are effect and which security vulnerabilities are ineffective; an effective security vulnerability includes vulnerable code that is executed by the application 108; an ineffective security vulnerability includes vulnerable code that is not executed by the application 108; this is referred to herein as the effectiveness of the vulnerability; the vulnerability effectiveness module 144 can share this effectiveness information with the dependency tree module 142).
Regarding Claims 18, 20:
Anwar in view of Cheng teaches the method of claim 1 and the computer program product of claim 12. In addition, Anwar teaches wherein:
the vulnerable components comprise vulnerable components that warrant alerts ([0026] from time-to-time, the developers 104 may receive one or more security vulnerability alerts 122 (hereinafter referred to collectively as “security vulnerability alerts 122” or individually as “security vulnerability alert 122”) from a software composition analysis system 124; moreover, the software composition analysis system 124 can execute, via one or more processors, a vulnerability identification module 132 to analysis the applications 108 to determine whether any of the developer software packages 106 and/or the common library software packages 110 (shown as “software packages 106/110”) contain any known security vulnerabilities identified in the security vulnerability data 130; in this manner, the developers 104 can be alerted only to the known security vulnerabilities that are applicable to the applications 108, i.e. “vulnerable components that warrant alerts”; [0034] vulnerability remediation module 146 can be configured to prioritize vulnerability remediation within the common library software packages 110 over the developer software packages 106).
Regarding Claim 19:
Anwar in view of Parla teaches the TIAP system of claim 7, wherein:
the vulnerable components comprise vulnerable components that warrant alerts ([0026] from time-to-time, the developers 104 may receive one or more security vulnerability alerts 122 (hereinafter referred to collectively as “security vulnerability alerts 122” or individually as “security vulnerability alert 122”) from a software composition analysis system 124; moreover, the software composition analysis system 124 can execute, via one or more processors, a vulnerability identification module 132 to analysis the applications 108 to determine whether any of the developer software packages 106 and/or the common library software packages 110 (shown as “software packages 106/110”) contain any known security vulnerabilities identified in the security vulnerability data 130; in this manner, the developers 104 can be alerted only to the known security vulnerabilities that are applicable to the applications 108, i.e. “vulnerable components that warrant alerts”; [0034] vulnerability remediation module 146 can be configured to prioritize vulnerability remediation within the common library software packages 110 over the developer software packages 106).
Claim(s) 3-4, 8-9, 14-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Anwar in view of Cheng, and further in view of Miliefsky (PGPUB 2007/0192867).
Regarding Claims 3 and 14:
Anwar in view of Cheng teaches the method of claim 2 and the computer program product of claim 13.
Neither Anwar nor Cheng explicitly teaches wherein the executable portion is further configured to:
generate, at the TIAP portal, update commands that replace respective vulnerable component with the fixed versions; and
update, at the TIAP portal, the vulnerable components by executing the update commands.
However, Miliefsky teaches the concept wherein an executable portion is configured to:
generate, at a TIAP portal, update commands that replace respective vulnerable component with fixed versions ([0068] system may create secure SSL on-demand client-server communication interfaces between the SYSTRAY application running on client systems with one or more server `threads` running on the Anti-hacker Proactive Network Security system on a per network-based asset basis, and upon establishing a secure connection, obtain patch management links, instructions, modules, executable patches and security fixes; system may allow for executing links, instructions, modules, executable patches and security fixes from the SYSTRAY client application for repair and remediation of CVE and related regulatory compliance weaknesses of each CVE that has been uncovered by the Anti-hacker Proactive Network Security system for said network-based asset, on a per IP address basis; [0083] engine is a common vulnerabilities and remediation engine; this engine will allow for both automated and on-demand methods of remediating security vulnerabilities that have been found on assets in the network; this will include scripts and macros (i.e. “commands”) and other similar methods used to remove vulnerabilities from the network); and
update, at the TIAP portal, the vulnerable components by executing the update commands ([0083] Workflow component of the CVE-REMEDY system enables end users to accept CVE repairs and if a client or agent exists on the network asset that contains a CVE, a connection is made to the client to initiate a patch or system reconfiguration and resolve the CVE).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the update commands teachings of Miliefsky with the vulnerability remediation system of Anwar in view of Cheng. As evidenced by Anwar, e.g. [0037], computers function through use of computer-readable instructions included on a computer storage media. A person of ordinary skill in the art would therefore be motivated to use commands/instructions to implement systems for automatically remediating software vulnerabilities.
Regarding Claims 4 and 15:
Anwar in view of Cheng and Miliefsky teaches the method of claim 3 and the computer program product of claim 14. In addition, Miliefsky teaches wherein the executable portion is further configured to:
generate, at the TIAP portal, a script that consolidates the update commands ([0068] system may create secure SSL on-demand client-server communication interfaces between the SYSTRAY application running on client systems with one or more server `threads` running on the Anti-hacker Proactive Network Security system on a per network-based asset basis, and upon establishing a secure connection, obtain patch management links, instructions, modules, executable patches and security fixes; system may allow for executing links, instructions, modules, executable patches and security fixes from the SYSTRAY client application for repair and remediation of CVE and related regulatory compliance weaknesses of each CVE that has been uncovered by the Anti-hacker Proactive Network Security system for said network-based asset, on a per IP address basis; [0083] engine is a common vulnerabilities and remediation engine; this engine will allow for both automated and on-demand methods of remediating security vulnerabilities that have been found on assets in the network; this will include scripts and macros and other similar methods used to remove vulnerabilities from the network); and
execute, at the TIAP portal, the script to update the vulnerable components that have the fixed versions available (Workflow component of the CVE-REMEDY system enables end users to accept CVE repairs and if a client or agent exists on the network asset that contains a CVE, a connection is made to the client to initiate a patch or system reconfiguration and resolve the CVE).
The rationale to combine Anwar and Miliefsky is the same as provided for claims 3 and 14 due to the overlapping subject matter between claims 3 and 4, 14 and 15.
Regarding Claim 8:
Anwar in view of Parla teaches the TIAP system of claim 7.
Neither Anwar nor Parla explicitly teaches wherein the remediation service is further operable to:
generate, at the TIAP portal, update commands that replace the vulnerable components with the fixed versions; and
update, at the TIAP portal, the vulnerable components by executing the update commands.
However, Miliefsky teaches the concept wherein a remediation service is operable to:
generate, at a TIAP portal, update commands that replace vulnerable components with fixed versions ([0068] system may create secure SSL on-demand client-server communication interfaces between the SYSTRAY application running on client systems with one or more server `threads` running on the Anti-hacker Proactive Network Security system on a per network-based asset basis, and upon establishing a secure connection, obtain patch management links, instructions, modules, executable patches and security fixes; system may allow for executing links, instructions, modules, executable patches and security fixes from the SYSTRAY client application for repair and remediation of CVE and related regulatory compliance weaknesses of each CVE that has been uncovered by the Anti-hacker Proactive Network Security system for said network-based asset, on a per IP address basis; [0083] engine is a common vulnerabilities and remediation engine; this engine will allow for both automated and on-demand methods of remediating security vulnerabilities that have been found on assets in the network; this will include scripts and macros (i.e. “commands”) and other similar methods used to remove vulnerabilities from the network); and
update, at the TIAP portal, the vulnerable components by executing the update commands ([0083] Workflow component of the CVE-REMEDY system enables end users to accept CVE repairs and if a client or agent exists on the network asset that contains a CVE, a connection is made to the client to initiate a patch or system reconfiguration and resolve the CVE).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the update commands teachings of Miliefsky with the vulnerability remediation system of Anwar in view of Cheng. As evidenced by Anwar, e.g. [0037], computers function through use of computer-readable instructions included on a computer storage media. A person of ordinary skill in the art would therefore be motivated to use commands/instructions to implement systems for automatically remediating software vulnerabilities.
Regarding Claim 9:
Anwar in view of Parla and Miliefsky teaches the TIAP system of claim 8. In addition, Miliefsky teaches wherein the remediation service is operative to:
generate, at the TIAP portal, a script that consolidates the update commands ([0068] system may create secure SSL on-demand client-server communication interfaces between the SYSTRAY application running on client systems with one or more server `threads` running on the Anti-hacker Proactive Network Security system on a per network-based asset basis, and upon establishing a secure connection, obtain patch management links, instructions, modules, executable patches and security fixes; system may allow for executing links, instructions, modules, executable patches and security fixes from the SYSTRAY client application for repair and remediation of CVE and related regulatory compliance weaknesses of each CVE that has been uncovered by the Anti-hacker Proactive Network Security system for said network-based asset, on a per IP address basis; [0083] engine is a common vulnerabilities and remediation engine; this engine will allow for both automated and on-demand methods of remediating security vulnerabilities that have been found on assets in the network; this will include scripts and macros and other similar methods used to remove vulnerabilities from the network); and
execute, at the TIAP portal, the script to update the vulnerable components that have the fixed versions available (Workflow component of the CVE-REMEDY system enables end users to accept CVE repairs and if a client or agent exists on the network asset that contains a CVE, a connection is made to the client to initiate a patch or system reconfiguration and resolve the CVE).
The rationale to combine Anwar and Miliefsky is the same as provided for claim 8 due to the overlapping subject matter between claims 8 and 9.
Claim(s) 5, 10, 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Anwar in view of Cheng, and further in view of Manuel-Devadoss (PGPUB 2024/0193277).
Regarding Claims 5 and 16:
Anwar in view of Cheng teaches the method of claim 1 and the computer program product of claim 12.
Neither Anwar nor Cheng explicitly teaches wherein the executable portion is further configured to:
after remediating the vulnerable components, execute, at the TIAP portal, a CVE analysis on the updated build of the application; and
verifying, at the TIAP portal, that no CVEs exist in the updated build of the application.
However, Manuel-Devadoss teaches the concept wherein an executable portion is configured to:
after remediating vulnerable components, execute, at a TIAP portal, a CVE analysis on an updated build of an application ([0023] the patch management system (PMS) 100 may then run/execute/install the approved patches (that were selected and approved by the stakeholders/users) against lower-level environments for testing purposes; thus, only user selected and approved patches are installed; the lower-level environments are then scanned for vulnerabilities to verify that the vulnerabilities have been resolved by the patches); and
verifying, at the TIAP portal, that no CVEs exist in the updated build of the application ([0023] the lower-level environments are then scanned for vulnerabilities to verify that the vulnerabilities have been resolved by the patches).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the post-remediation vulnerability assessment teachings of Manuel-Devadoss with the vulnerability remediation system of Anwar in view of Cheng, in order to fully secure the application by ensuring that no security vulnerabilities remain in the application or its components following a remediation process, thereby improving the security environment.
Regarding Claim 10:
Anwar in view of Cheng teaches the TIAP system of claim 7.
Neither Anwar nor Cheng explicitly teaches the system further comprising: after remediating the vulnerable components, executing a CVE analysis on the updated build of the application; and
verifying, at the TIAP portal, that no CVEs exist in the updated build of the application.
However, Manuel-Devadoss teaches the concept, after remediating vulnerable components, executing a CVE analysis on an updated build of an application ([0023] the patch management system (PMS) 100 may then run/execute/install the approved patches (that were selected and approved by the stakeholders/users) against lower-level environments for testing purposes; thus, only user selected and approved patches are installed; the lower-level environments are then scanned for vulnerabilities to verify that the vulnerabilities have been resolved by the patches); and
verifying, at a TIAP portal, that no CVEs exist in the updated build of the application ([0023] the lower-level environments are then scanned for vulnerabilities to verify that the vulnerabilities have been resolved by the patches).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the post-remediation vulnerability assessment teachings of Manuel-Devadoss with the vulnerability remediation system of Anwar in view of Cheng, in order to fully secure the application by ensuring that no security vulnerabilities remain in the application or its components following a remediation process, thereby improving the security environment.
Response to Arguments
Applicant's arguments filed 4/24/2026 have been fully considered but they are not persuasive.
Regarding the claim objections:
Applicant’s amendments have overcome the previous claim objections, which are therefore withdrawn.
Regarding the rejection of claims under 35 USC 112:
Applicant’s amendments have overcome the previous rejection under 35 USC 112, which is therefore withdrawn.
Regarding the rejection of claims under 35 USC 102/103:
Examiner’s response to Applicant’s arguments, pages 10-11: The only element(s) missing from Anwar are identifying vulnerable components within the SBOM that were used by the application during a runtime of the application;
ranking each of the vulnerable components based on its usage during the runtime of the application; and
remediating in accordance with the ranking, in claims 1, 7, and 12 as amended (italics for emphasis). However, a new ground(s) for rejection is provided above which does teach this amended subject matter.
Applicant further argues that the dependent claims are allowable due to depending on an allowable independent claim. However, as shown above, the independent claims are not allowable.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814. The examiner can normally be reached 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Korzuch can be reached at (571) 272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/FORREST L CAREY/Examiner, Art Unit 2491
/WILLIAM R KORZUCH/Supervisory Patent Examiner, Art Unit 2491
Prosecution Insights