DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
Claims 1-17 are pending.
Claim Objections
Claims 5-6, 10-11, and 16-17 are objected to because of the following informalities:
Each of claims 5, 10, 16 contain the phrase “that that” in the last limitation of the claim.
Each of claims 6, 11, and 17 contain the phrase “that are that are not executed”.
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claim 1 recites the following: “wherein only vulnerable components that are executed by the application are remediated”. Examiner cannot find this subject matter in the specification and claims as originally filed. The nearest subject matter from the specification can be found in, e.g. [0154], “Remediation service 770 can locate updated versions of the components found to be vulnerable or categorized as having a priority alert and package the updated versions into a script that can be downloaded and run so that the user can update all the vulnerable components, priority alert components, or combination thereof”. However, examiner can find no disclosure of remediating only vulnerable components that are executed by the application. The vulnerable components discussed in [0154] appear to be all vulnerable components, not merely the executed ones. Therefore, claim 1 lacks written description. None of claims 2-6, depending therefrom, fix this and are therefore rejected for the same reasons.
Claims 7 and 12 contain corresponding subject matter to claim 1, and are therefore rejected for corresponding reasons, as well as the respective claims depending therefrom.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-2, 6-7, 11-13, 17-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Anwar et al (PGPUB 2022/0083667), and further in view of Parla et al (PGPUB 2024/0031394).
Regarding Claims 1 and 12:
Anwar teaches a method for operating a telemetry interception and analysis platform (TIAP) system and a computer program product comprising at least one non-transitory computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising an executable portion configured to ([abstract] software composition analysis system can obtain, from a vulnerability database, security vulnerability data about a set of known security vulnerabilities; the software composition analysis system can identify an application for analysis; the application can call a common library shared among a plurality of applications; the software composition analysis system can identify, based upon the set of known security vulnerabilities, a security vulnerability in the common library; the software composition analysis system can remediate the security vulnerability in the common library; [0007] implemented as a computer-controlled apparatus, a computer process, a computing system, or as an article of manufacture such as a computer-readable storage medium):
generate, on a server comprising a database and a processor ([0029]-[0030] software composition analysis system 124 can be implemented as a computing system or device, such as, for example, a desktop, laptop, or tablet; in particular, the software composition analysis system 124 can be configured the same as or similar to the computer system 400; the software composition analysis system 124 can be implemented as part of the application development systems 102; [0049] computer system 400 includes a processing unit 402; [0024] library database 112 can be external to or part of the application development systems 102), a software bill of materials (SBOM) used by an application being executed on a customer computer system, the SBOM comprising a plurality of components ([0030]-[0031] software composition analysis system 124 includes, in addition to the vulnerability identification module 132 and the API(s) 140, a dependency tree module 142, a vulnerability effectiveness module 144, and a vulnerability remediation module 146; dependency tree module 142 can analyze the application 108 to determine the dependencies among the software packages 106/110 utilized by the application 108; the dependencies can be direct or transitive; a direct dependency is an open source package (e.g., a common library software package 110) that is explicitly used by the developer 104; a transitive dependency is an open source package called by another open source package (e.g., one common library software package 110 that calls another common library software package 110) and is not explicitly used by the developer 104; the dependency tree module 142 can utilize this dependency information to create an application dependency tree);
execute, on the server, a TIAP portal comprising a common vulnerabilities and exposures (CVE) service operative to receive CVEs from at least one CVE source ([0026]-[0028] security vulnerability alerts 122 can be generated by the software composition analysis system 124 based upon a known security vulnerabilities data feed 126 received from a security vulnerability database 128 that maintains security vulnerability data 130 about known security vulnerabilities; security vulnerability database 128 obtains and maintains the security vulnerability data 130; in some embodiments, the security vulnerability database 128 includes the Common Vulnerabilities and Exposures (“CVE”) dictionary (also referred to as a “list”) or otherwise provides access thereto; the CVE dictionary provides definitions for publicly disclosed security vulnerabilities and exposures; the vulnerability identification module 132 can call one or more application programming interfaces (“APIs”) 140 that are exposed by the security vulnerability database 128 to subscribe to or otherwise obtain the known security vulnerabilities data feed 126);
receive, at the TIAP portal, vulnerabilities from the at least one CVE source ([0028] the vulnerability identification module 132 can call one or more application programming interfaces (“APIs”) 140 that are exposed by the security vulnerability database 128 to subscribe to or otherwise obtain the known security vulnerabilities data feed 126);
identify, at the TIAP portal, vulnerable components within the SBOM ([0032] vulnerability effectiveness module 144 can analyze the known security vulnerabilities data feed 126 and the composition of the application 108 to determine which security vulnerabilities are effect and which security vulnerabilities are ineffective; an effective security vulnerability includes vulnerable code that is executed by the application 108; an ineffective security vulnerability includes vulnerable code that is not executed by the application 108; this is referred to herein as the effectiveness of the vulnerability; the vulnerability effectiveness module 144 can share this effectiveness information with the dependency tree module 142); and
remediate, at the TIAP portal, the vulnerable components with fixed versions of the vulnerable components to produce an updated build of the application ([0034] the software composition analysis system 124 can execute the vulnerability remediation module 146 to remediate known security vulnerabilities in the application 108; in some embodiments, the vulnerability remediation module 146 can be configured to prioritize vulnerability remediation within the common library software packages 110 over the developer software packages 106; in particular, the software composition analysis system 124 can execute the vulnerability remediation module 146 to fix all security vulnerabilities within the common library software packages 110 to eliminate the security vulnerability alerts 122 in the identified application 108, and potentially in one or more other applications 108 that call the common library software packages 110; for common libraries, all direct and transitive dependencies should be upgraded to non-vulnerable versions).
Anwar does not explicitly teach wherein only vulnerable components that are executed by the application are remediated.
However, Parla teaches the concept wherein only vulnerable components that are executed by the application are remediated ([abstract] determining a learned control flow directed graph for a process executed on the computing system; a vulnerability may be determined or identified within the process as well as a software bill of materials for the process; a code portion of the process associated with the vulnerability is determined based on the software bill of materials; a tainted control flow directed graph is generated based on the code portion and excluded from the learned control flow directed graph; the adjusted control flow directed graph may be used to prevent execution of the vulnerability; [0042] a control flow directed graph (CFDG), sometimes referred to herein as a control flow diagram, is a representation, using graph notation, of control flow, i.e., execution, paths that may be traversed through an application during execution of the application; in a control flow graph, each node in the graph corresponds to a basic block; a basic block is a sequence of instructions where control enters at the beginning of the sequence; [0086] the observed code that is part of the learned CFDG and safe neighbors of the observed code may be allowed to execute; in some examples, a software bill of materials analysis may be used to identify the safe neighbors; when a vulnerability is found in the code analysis of the software bill of materials, then it can be excluded from the learned CFDG (e.g., subtracting the portion of the CFDG related to the vulnerability); the software bill of materials can be updated via a cloud service in some examples such that the software bill of materials is up to date with the code of the application or workload; mapping from the software bill of materials to the binary image may be used to identify suspect chunks of code in a way that can be correlated to the CFDG; a tainted CFDG can be dynamically generated from the binary code using the running binary image of the vulnerable fragments of the code; the tainted CFDG can be subtracted from the learned CFDG to prevent execution of the vulnerable elements until the code is patched and the software bill of materials is updated).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the remediating only executed components teachings of Parla with the vulnerability remediation system of Anwar, in order to further improve remediation efficiency by limiting vulnerability remediation to specific code segments in danger of being executed by an application, thereby reducing development time and overhead, and improving the security environment by focusing on targeted high-risk vulnerabilities.
Regarding Claims 2 and 13:
Anwar in view of Parla teaches the method of claim 1 and the computer program product of claim 12. In addition, Anwar teaches wherein the computer-readable program code portions comprise the executable portion configured to:
identify, at the TIAP portal, fixed versions for the vulnerable components ([0034] the software composition analysis system 124 can provide direction to the developer 104 regarding to which package version the vulnerable package should be upgraded).
Regarding Claims 6 and 17:
Anwar in view of Parla teaches the method of claim 1 and the computer program product of claim 12. In addition, Anwar teaches wherein the plurality of components included in the SBOM comprises components that are that are not executed by the application and components that are executed by the application ([0031] dependency tree module 142 can analyze the application 108 to determine the dependencies among the software packages 106/110 utilized by the application 108; the dependencies can be direct or transitive; a direct dependency is an open source package (e.g., a common library software package 110) that is explicitly used by the developer 104; a transitive dependency is an open source package called by another open source package (e.g., one common library software package 110 that calls another common library software package 110) and is not explicitly used by the developer 104; [0032] vulnerability effectiveness module 144 can analyze the known security vulnerabilities data feed 126 and the composition of the application 108 to determine which security vulnerabilities are effect and which security vulnerabilities are ineffective; an effective security vulnerability includes vulnerable code that is executed by the application 108; an ineffective security vulnerability includes vulnerable code that is not executed by the application 108; this is referred to herein as the effectiveness of the vulnerability; the vulnerability effectiveness module 144 can share this effectiveness information with the dependency tree module 142).
Regarding Claim 7:
Anwar teaches a telemetry interception and analysis platform (TIAP) system ([abstract] software composition analysis system can obtain, from a vulnerability database, security vulnerability data about a set of known security vulnerabilities; the software composition analysis system can identify an application for analysis), comprising:
a server comprising a database and a hardware processor to run a TIAP portal comprising an event service operative to receive telemetry events from a TIAP runtime being executed on a customer computer system in conjunction with an application being executed on the customer computer system ([0029]-[0030] software composition analysis system 124 can be implemented as a computing system or device, such as, for example, a desktop, laptop, or tablet; in particular, the software composition analysis system 124 can be configured the same as or similar to the computer system 400; the software composition analysis system 124 can be implemented as part of the application development systems 102; [0049] computer system 400 includes a processing unit 402; [0024] library database 112 can be external to or part of the application development systems 102),
wherein the TIAP portal comprises a common vulnerability and exposure (CVE) service operative to receive a plurality of CVEs, wherein the plurality of CVEs are stored in the database ([0026]-[0028] security vulnerability alerts 122 can be generated by the software composition analysis system 124 based upon a known security vulnerabilities data feed 126 received from a security vulnerability database 128 that maintains security vulnerability data 130 about known security vulnerabilities; security vulnerability database 128 obtains and maintains the security vulnerability data 130; in some embodiments, the security vulnerability database 128 includes the Common Vulnerabilities and Exposures (“CVE”) dictionary (also referred to as a “list”) or otherwise provides access thereto; the CVE dictionary provides definitions for publicly disclosed security vulnerabilities and exposures; the vulnerability identification module 132 can call one or more application programming interfaces (“APIs”) 140 that are exposed by the security vulnerability database 128 to subscribe to or otherwise obtain the known security vulnerabilities data feed 126),
wherein the TIAP portal comprises a software bill of materials (SBOM) service to:
generate a SBOM used by the application being executed on the customer computer system, the SBOM comprising a plurality of components ([0030]-[0031] software composition analysis system 124 includes, in addition to the vulnerability identification module 132 and the API(s) 140, a dependency tree module 142, a vulnerability effectiveness module 144, and a vulnerability remediation module 146; dependency tree module 142 can analyze the application 108 to determine the dependencies among the software packages 106/110 utilized by the application 108; the dependencies can be direct or transitive; a direct dependency is an open source package (e.g., a common library software package 110) that is explicitly used by the developer 104; a transitive dependency is an open source package called by another open source package (e.g., one common library software package 110 that calls another common library software package 110) and is not explicitly used by the developer 104; the dependency tree module 142 can utilize this dependency information to create an application dependency tree); and
identify at least one component that is associated with one or more vulnerabilities ([0032] vulnerability effectiveness module 144 can analyze the known security vulnerabilities data feed 126 and the composition of the application 108 to determine which security vulnerabilities are effect and which security vulnerabilities are ineffective; an effective security vulnerability includes vulnerable code that is executed by the application 108; an ineffective security vulnerability includes vulnerable code that is not executed by the application 108; this is referred to herein as the effectiveness of the vulnerability; the vulnerability effectiveness module 144 can share this effectiveness information with the dependency tree module 142);
wherein the TIAP portal comprises a remediation service to:
identify vulnerable components that have fixed equivalents ([0034] the software composition analysis system 124 can execute the vulnerability remediation module 146 to remediate known security vulnerabilities in the application 108; in some embodiments, the vulnerability remediation module 146 can be configured to prioritize vulnerability remediation within the common library software packages 110 over the developer software packages 106; in particular, the software composition analysis system 124 can execute the vulnerability remediation module 146 to fix all security vulnerabilities within the common library software packages 110 to eliminate the security vulnerability alerts 122 in the identified application 108, and potentially in one or more other applications 108 that call the common library software packages 110; for common libraries, all direct and transitive dependencies should be upgraded to non-vulnerable versions; [0034] the software composition analysis system 124 can provide direction to the developer 104 regarding to which package version the vulnerable package should be upgraded); and
remediate the identified vulnerable components with fixed versions of the vulnerable components to produce an updated build of the application ([0034] the software composition analysis system 124 can execute the vulnerability remediation module 146 to remediate known security vulnerabilities in the application 108; in some embodiments, the vulnerability remediation module 146 can be configured to prioritize vulnerability remediation within the common library software packages 110 over the developer software packages 106; in particular, the software composition analysis system 124 can execute the vulnerability remediation module 146 to fix all security vulnerabilities within the common library software packages 110 to eliminate the security vulnerability alerts 122 in the identified application 108, and potentially in one or more other applications 108 that call the common library software packages 110; for common libraries, all direct and transitive dependencies should be upgraded to non-vulnerable versions).
Anwar does not explicitly teach wherein only vulnerable components that are executed by the application are remediated.
However, Parla teaches the concept wherein only vulnerable components that are executed by the application are remediated ([abstract] determining a learned control flow directed graph for a process executed on the computing system; a vulnerability may be determined or identified within the process as well as a software bill of materials for the process; a code portion of the process associated with the vulnerability is determined based on the software bill of materials; a tainted control flow directed graph is generated based on the code portion and excluded from the learned control flow directed graph; the adjusted control flow directed graph may be used to prevent execution of the vulnerability; [0042] a control flow directed graph (CFDG), sometimes referred to herein as a control flow diagram, is a representation, using graph notation, of control flow, i.e., execution, paths that may be traversed through an application during execution of the application; in a control flow graph, each node in the graph corresponds to a basic block; a basic block is a sequence of instructions where control enters at the beginning of the sequence; [0086] the observed code that is part of the learned CFDG and safe neighbors of the observed code may be allowed to execute; in some examples, a software bill of materials analysis may be used to identify the safe neighbors; when a vulnerability is found in the code analysis of the software bill of materials, then it can be excluded from the learned CFDG (e.g., subtracting the portion of the CFDG related to the vulnerability); the software bill of materials can be updated via a cloud service in some examples such that the software bill of materials is up to date with the code of the application or workload; mapping from the software bill of materials to the binary image may be used to identify suspect chunks of code in a way that can be correlated to the CFDG; a tainted CFDG can be dynamically generated from the binary code using the running binary image of the vulnerable fragments of the code; the tainted CFDG can be subtracted from the learned CFDG to prevent execution of the vulnerable elements until the code is patched and the software bill of materials is updated).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the remediating only executed components teachings of Parla with the vulnerability remediation system of Anwar, in order to further improve remediation efficiency by limiting vulnerability remediation to specific code segments in danger of being executed by an application, thereby reducing development time and overhead, and improving the security environment by focusing on targeted high-risk vulnerabilities.
Regarding Claim 11:
Anwar in view of Parla teaches the TIAP system of claim 7. In addition, Anwar teaches wherein the plurality of components included in the SBOM comprises components that are that are not executed by the application and components that are executed by the application ([0031] dependency tree module 142 can analyze the application 108 to determine the dependencies among the software packages 106/110 utilized by the application 108; the dependencies can be direct or transitive; a direct dependency is an open source package (e.g., a common library software package 110) that is explicitly used by the developer 104; a transitive dependency is an open source package called by another open source package (e.g., one common library software package 110 that calls another common library software package 110) and is not explicitly used by the developer 104; [0032] vulnerability effectiveness module 144 can analyze the known security vulnerabilities data feed 126 and the composition of the application 108 to determine which security vulnerabilities are effect and which security vulnerabilities are ineffective; an effective security vulnerability includes vulnerable code that is executed by the application 108; an ineffective security vulnerability includes vulnerable code that is not executed by the application 108; this is referred to herein as the effectiveness of the vulnerability; the vulnerability effectiveness module 144 can share this effectiveness information with the dependency tree module 142).
Regarding Claims 18, 20:
Anwar in view of Parla teaches the method of claim 1 and the computer program product of claim 12. In addition, Anwar teaches wherein:
a subset of the vulnerable components comprise prioritized vulnerable components that warrant alerts ([0026] from time-to-time, the developers 104 may receive one or more security vulnerability alerts 122 (hereinafter referred to collectively as “security vulnerability alerts 122” or individually as “security vulnerability alert 122”) from a software composition analysis system 124; moreover, the software composition analysis system 124 can execute, via one or more processors, a vulnerability identification module 132 to analysis the applications 108 to determine whether any of the developer software packages 106 and/or the common library software packages 110 (shown as “software packages 106/110”) contain any known security vulnerabilities identified in the security vulnerability data 130; in this manner, the developers 104 can be alerted only to the known security vulnerabilities that are applicable to the applications 108, i.e. “vulnerable components that warrant alerts”; [0034] vulnerability remediation module 146 can be configured to prioritize vulnerability remediation within the common library software packages 110 over the developer software packages 106); and
the prioritized vulnerable components are remediated before the remaining vulnerable components ([0034] vulnerability remediation module 146 can be configured to prioritize vulnerability remediation within the common library software packages 110 over the developer software packages 106).
Regarding Claim 19:
Anwar in view of Parla teaches the TIAP system of claim 7, wherein:
a subset of the vulnerable components comprise prioritized vulnerable components that warrant alerts ([0026] from time-to-time, the developers 104 may receive one or more security vulnerability alerts 122 (hereinafter referred to collectively as “security vulnerability alerts 122” or individually as “security vulnerability alert 122”) from a software composition analysis system 124; moreover, the software composition analysis system 124 can execute, via one or more processors, a vulnerability identification module 132 to analysis the applications 108 to determine whether any of the developer software packages 106 and/or the common library software packages 110 (shown as “software packages 106/110”) contain any known security vulnerabilities identified in the security vulnerability data 130; in this manner, the developers 104 can be alerted only to the known security vulnerabilities that are applicable to the applications 108, i.e. “vulnerable components that warrant alerts”; [0034] vulnerability remediation module 146 can be configured to prioritize vulnerability remediation within the common library software packages 110 over the developer software packages 106); and
the prioritized vulnerable components are remediated before the remaining vulnerable components ([0034] vulnerability remediation module 146 can be configured to prioritize vulnerability remediation within the common library software packages 110 over the developer software packages 106).
Claim(s) 3-4, 8-9, 14-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Anwar in view of Parla, and further in view of Miliefsky (PGPUB 2007/0192867).
Regarding Claims 3 and 14:
Anwar in view of Parla teaches the method of claim 2 and the computer program product of claim 13.
Neither Anwar nor Parla explicitly teaches wherein the computer-readable program code portions comprise the executable portion configured to:
generate, at the TIAP portal, update commands that replace respective vulnerable component with the identified fixed versions thereof; and
update, at the TIAP portal, the vulnerable components by executing the update commands.
However, Miliefsky teaches the concept wherein computer-readable program code portions comprise an executable portion configured to:
generate, at a TIAP portal, update commands that replace respective vulnerable component with identified fixed versions thereof ([0068] system may create secure SSL on-demand client-server communication interfaces between the SYSTRAY application running on client systems with one or more server `threads` running on the Anti-hacker Proactive Network Security system on a per network-based asset basis, and upon establishing a secure connection, obtain patch management links, instructions, modules, executable patches and security fixes; system may allow for executing links, instructions, modules, executable patches and security fixes from the SYSTRAY client application for repair and remediation of CVE and related regulatory compliance weaknesses of each CVE that has been uncovered by the Anti-hacker Proactive Network Security system for said network-based asset, on a per IP address basis; [0083] engine is a common vulnerabilities and remediation engine; this engine will allow for both automated and on-demand methods of remediating security vulnerabilities that have been found on assets in the network; this will include scripts and macros (i.e. “commands”) and other similar methods used to remove vulnerabilities from the network); and
update, at the TIAP portal, the vulnerable components by executing the update commands ([0083] Workflow component of the CVE-REMEDY system enables end users to accept CVE repairs and if a client or agent exists on the network asset that contains a CVE, a connection is made to the client to initiate a patch or system reconfiguration and resolve the CVE).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the update commands teachings of Miliefsky with the vulnerability remediation system of Anwar in view of Parla. It is well-known in the art that computers function through use of programmed commands/instructions. A person of ordinary skill in the art would therefore be motivated to use commands/instructions to implement systems for automatically remediating software vulnerabilities.
Regarding Claims 4 and 15:
Anwar in view of Parla and Miliefsky teaches the method of claim 3 and the computer program product of claim 14. In addition, Miliefsky teaches wherein the computer-readable program code portions comprise the executable portion configured to:
generate, at the TIAP portal, a script that consolidates the update commands ([0068] system may create secure SSL on-demand client-server communication interfaces between the SYSTRAY application running on client systems with one or more server `threads` running on the Anti-hacker Proactive Network Security system on a per network-based asset basis, and upon establishing a secure connection, obtain patch management links, instructions, modules, executable patches and security fixes; system may allow for executing links, instructions, modules, executable patches and security fixes from the SYSTRAY client application for repair and remediation of CVE and related regulatory compliance weaknesses of each CVE that has been uncovered by the Anti-hacker Proactive Network Security system for said network-based asset, on a per IP address basis; [0083] engine is a common vulnerabilities and remediation engine; this engine will allow for both automated and on-demand methods of remediating security vulnerabilities that have been found on assets in the network; this will include scripts and macros and other similar methods used to remove vulnerabilities from the network); and
execute, at the TIAP portal, the script to update all the vulnerable components that have fixed version available (Workflow component of the CVE-REMEDY system enables end users to accept CVE repairs and if a client or agent exists on the network asset that contains a CVE, a connection is made to the client to initiate a patch or system reconfiguration and resolve the CVE).
The rationale to combine Anwar and Miliefsky is the same as provided for claims 3 and 14 due to the overlapping subject matter between claims 3 and 4, 14 and 15.
Regarding Claim 8:
Anwar in view of Parla teaches the TIAP system of claim 7.
Neither Anwar nor Parla explicitly teaches wherein the remediation service is operative to:
generate, at the TIAP portal, update commands that replace respective vulnerable component with the identified fixed versions thereof; and
update, at the TIAP portal, the vulnerable components by executing the update commands.
However, Miliefsky teaches the concept wherein a remediation service is operative to:
generate, at a TIAP portal, update commands that replace respective vulnerable component with identified fixed versions thereof ([0068] system may create secure SSL on-demand client-server communication interfaces between the SYSTRAY application running on client systems with one or more server `threads` running on the Anti-hacker Proactive Network Security system on a per network-based asset basis, and upon establishing a secure connection, obtain patch management links, instructions, modules, executable patches and security fixes; system may allow for executing links, instructions, modules, executable patches and security fixes from the SYSTRAY client application for repair and remediation of CVE and related regulatory compliance weaknesses of each CVE that has been uncovered by the Anti-hacker Proactive Network Security system for said network-based asset, on a per IP address basis; [0083] engine is a common vulnerabilities and remediation engine; this engine will allow for both automated and on-demand methods of remediating security vulnerabilities that have been found on assets in the network; this will include scripts and macros (i.e. “commands”) and other similar methods used to remove vulnerabilities from the network); and
update, at the TIAP portal, the vulnerable components by executing the update commands ([0083] Workflow component of the CVE-REMEDY system enables end users to accept CVE repairs and if a client or agent exists on the network asset that contains a CVE, a connection is made to the client to initiate a patch or system reconfiguration and resolve the CVE).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the update commands teachings of Miliefsky with the vulnerability remediation system of Anwar in view of Parla. It is well-known in the art that computers function through use of programmed commands/instructions. A person of ordinary skill in the art would therefore be motivated to use commands/instructions to implement systems for automatically remediating software vulnerabilities.
Regarding Claim 9:
Anwar in view of Parla and Miliefsky teaches the TIAP system of claim 8. In addition, Miliefsky teaches wherein the remediation service is operative to:
generate, at the TIAP portal, a script that consolidates the update commands ([0068] system may create secure SSL on-demand client-server communication interfaces between the SYSTRAY application running on client systems with one or more server `threads` running on the Anti-hacker Proactive Network Security system on a per network-based asset basis, and upon establishing a secure connection, obtain patch management links, instructions, modules, executable patches and security fixes; system may allow for executing links, instructions, modules, executable patches and security fixes from the SYSTRAY client application for repair and remediation of CVE and related regulatory compliance weaknesses of each CVE that has been uncovered by the Anti-hacker Proactive Network Security system for said network-based asset, on a per IP address basis; [0083] engine is a common vulnerabilities and remediation engine; this engine will allow for both automated and on-demand methods of remediating security vulnerabilities that have been found on assets in the network; this will include scripts and macros and other similar methods used to remove vulnerabilities from the network); and
execute, at the TIAP portal, the script to update all the vulnerable components that have fixed version available (Workflow component of the CVE-REMEDY system enables end users to accept CVE repairs and if a client or agent exists on the network asset that contains a CVE, a connection is made to the client to initiate a patch or system reconfiguration and resolve the CVE).
The rationale to combine Anwar and Miliefsky is the same as provided for claim 8 due to the overlapping subject matter between claims 8 and 9.
Claim(s) 5, 10, 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Anwar in view of Parla, and further in view of Manuel-Devadoss (PGPUB 2024/0193277).
Regarding Claims 5 and 16:
Anwar in view of Parla teaches the method of claim 1 and the computer program product of claim 12.
Neither Anwar nor Parla explicitly teaches wherein the computer-readable program code portions comprise the executable portion configured to:
after said remediating has been performed, execute, at the TIAP portal, a CVE analysis on the updated build of the application; and
verifying, at the TIAP portal, that that no CVEs exist in the updated build of the application.
However, Manuel-Devadoss teaches the concept wherein computer-readable program code portions comprise an executable portion configured to:
after remediating has been performed, execute, at a TIAP portal, a CVE analysis on an updated build of an application ([0023] the patch management system (PMS) 100 may then run/execute/install the approved patches (that were selected and approved by the stakeholders/users) against lower-level environments for testing purposes; thus, only user selected and approved patches are installed; the lower-level environments are then scanned for vulnerabilities to verify that the vulnerabilities have been resolved by the patches); and
verifying, at the TIAP portal, that no CVEs exist in the updated build of the application ([0023] the lower-level environments are then scanned for vulnerabilities to verify that the vulnerabilities have been resolved by the patches).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the post-remediation vulnerability assessment teachings of Manuel-Devadoss with the vulnerability remediation system of Anwar in view of Parla, in order to fully secure the application by ensuring that no security vulnerabilities remain in the application or its components following a remediation process, thereby improving the security environment.
Regarding Claim 10:
Anwar in view of Parla teaches the TIAP system of claim 7.
Neither Anwar nor Parla explicitly teaches the system further comprising: after said remediating has been performed, executing a CVE analysis on the updated build of the application; and
verifying, at the TIAP portal, that that no CVEs exist in the updated build of the application.
However, Manuel-Devadoss teaches the concept, after remediating has been performed, executing a CVE analysis on an updated build of an application ([0023] the patch management system (PMS) 100 may then run/execute/install the approved patches (that were selected and approved by the stakeholders/users) against lower-level environments for testing purposes; thus, only user selected and approved patches are installed; the lower-level environments are then scanned for vulnerabilities to verify that the vulnerabilities have been resolved by the patches); and
verifying, at a TIAP portal, that that no CVEs exist in the updated build of the application ([0023] the lower-level environments are then scanned for vulnerabilities to verify that the vulnerabilities have been resolved by the patches).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the post-remediation vulnerability assessment teachings of Manuel-Devadoss with the vulnerability remediation system of Anwar in view of Parla, in order to fully secure the application by ensuring that no security vulnerabilities remain in the application or its components following a remediation process, thereby improving the security environment.
Response to Arguments
Applicant's arguments filed 10/1/2025 have been fully considered but they are not persuasive.
Regarding the claim objections:
Applicant’s amendments have overcome the previous claim objections to claims 1,7, and 12. However, the other objections have not been addressed, and further objections have been introduced, above.
Regarding the rejection of claims under 35 USC 101:
Applicant’s amendments have overcome the previous rejection under 35 USC 101, which is therefore withdrawn.
Regarding the rejection of claims under 35 USC 102/103:
Examiner’s response to Applicant’s arguments, page 9 paragraph 4: Examiner acknowledges that Anwar does disclose determination of executed and unexecuted vulnerabilities, Anwar does not explicitly teach or suggest limiting remediation to only the “executed” vulnerable components (as distinguished from “used” components, as in previous claim 6). However, a new ground(s) for rejection is provided above which does teach this amended subject matter.
Applicant’s arguments with regard to independent claims 7 and 12 are similar to those regarding claim 1 and are therefore responded to in a similar way.
Applicant further argues that the dependent claims are allowable due to depending on an allowable independent claim. However, as shown above, the independent claims are not allowable.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814. The examiner can normally be reached 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at (571) 270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/FORREST L CAREY/Examiner, Art Unit 2491
/AMIR MEHRMANESH/Supervisory Patent Examiner, Art Unit 2491