DETAILED ACTION
This is a final Office action in response to communications received on 01/06/2026. Claims 1, 9, 11-12 and 20 are amended. Claims 8 and 19 are canceled. Claims 21-22 are added. Claims 1-7, 9-18 and 20-22 are examined and are pending. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments filed 01/06/2026, to claim 1 have been fully considered.
Applicant’s Remarks regarding 103 have been considered, but have not been found persuasive.
Consequently, the rejection of the claims under 35 U.S.C. § 103 is sustained.
Applicant argues on pages 8-9 on the Remarks that the prior arts of record do not disclose or suggest the newly amended features of independent claim 1 that recites: “generating …., including combining weight scores for a record that include a weight for missing or inaccurate dependencies and a weight for a scope of dependencies.”. The argument is moot because newly added claim limitations, require new grounds of rejection necessitated by the amendments. [please see the rejections below]
The remaining arguments fail to comply with 37 C.F.R. 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
In addition, Applicant’s remaining arguments filed 01/06/2025, with respect to the rejection of claims 1-20 under 35 USC § 103 have been fully considered but are moot because newly added claim limitations requiring “generating …., including combining weight scores for a record that include a weight for missing or inaccurate dependencies and a weight for a scope of dependencies”, require new grounds of rejection necessitated by amendments.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 5-7, 11-14, and 16-18 are rejected under 35 U.S.C. 103 over Jang (US 11,947,956), in view of Duggan (US 2023/0359744), and further in view of Conway (US 2025/0013753).
Regarding claim 1, Jang teaches the limitations of claim 1 as follows:
A computer-implemented method for assessing a software bill of materials (SBOM), comprising:
building a knowledge graph from a plurality of repositories, using function fingerprints of software packages in the plurality of repositories; (Jang, Col. 7, ll. 9-59, Col. 8, ll. 45-58, Col. 9, ll. 20-30, Col. 10, ll. 10-30, Figs. 1-5, Claims1-2, shows extraction of functions from software components (i.e., a plurality of repositories), and feed them into the knowledge graph. The knowledge graph 330 links multiple types of repositories, and being generated by decomposition processes across a plurality of repositories).
identifying dependencies of an application using function fingerprints of the application and comparing to function fingerprints of the software packages; (Jang, Col. 7, ll. 1-8, 35-59, Col. 8, ll. 45-58, Col. 9, ll. 3-23, Figs. 1-5, Claims1-2, shows extracting function fingerprints from the application, comparing them to function fingerprints of software genome/packages in the knowledge graph (KG), using graph relationships to determine dependencies between the application and the software genome/packages).
generating [a quality score for an SBOM] of the application based on a comparison of the identified dependencies to claimed dependencies of [the SBOM]; (Jang, Col. 6, ll.8-16, Col. 7, ll. 1-8, 35-59, Col. 8, ll. 45-58, Col. 9, ll. 3-23, Figs. 1-5, Claims1-2, shows extracting function fingerprints (actual dependencies), comparing them to known package fingerprints (i.e., claimed dependencies), and generating a score/risk based on matches/mismatches).
Jang discloses risk/score generation and performing an action responsive to the risk, but it does not explicitly disclose:
generating a quality score for an SBOM of the application based on a comparison of the identified dependencies to claimed dependencies of the SBOM;
including combining weight scores for a record that include a weight for [missing or inaccurate dependencies] and a weight for a scope of dependencies.
and performing an action responsive to the quality score.
However, Duggan in the Same field of endeavor discloses:
generating a quality score for an SBOM of the application based on a comparison of the identified dependencies to claimed dependencies of the SBOM; (Duggan, Paras. [0050]-[0055], [0048]-[0056], [0073], calculating consolidated score based on weighted metrics (i.e., quality score), comparing declared (i.e., claimed) SBOM entries and actual discovered dependencies. For example, if library B (i.e., identified dependencies) is vulnerable, then library A (which depends on library B) is considered vulnerable).
including combining weight scores for a record that include a weight for [missing or inaccurate dependencies] and a weight for a scope of dependencies. (Duggan, Paras. [0018], [0027], [0050]-[0055], “each metric can be assigned a weight”, weights are included into a consolidated/quality score for a library. The system detects difference/distance between the claimed dependencies in the SBOM and the actual dependencies (i.e., missing or inaccurate dependencies), and evaluates the SBOM’s quality based on direct or transitive dependencies (i.e., a scope of dependencies)).
and performing an action responsive to the quality score. (Duggan, Paras. [0050]-[0055], [0048]-[0056], [0073], the system takes multiple actions in response to the generated score like checking whether the scores exceeds a predetermined threshold, feeding an ML model with the scores for training purpose, determining dependencies, record the results in a database, refresh/update SBOM risk state).
Duggan is combinable with Jang, because both are from the same field of assessing a software. It would have been obvious to a person having ordinary skill in the art before the effective filling date of the invention to generate a quality score for an SBOM, as taught by Duggan with Jang’s method in order to improve efficiencies of detecting software supply chain. [Duggan, Para. [0009]]
Duggan discloses including a weight for a scope of dependencies, but it does not explicitly disclose:
A missing or inaccurate dependencies,
However, Conway in the Same field of endeavor discloses:
A missing or inaccurate dependencies, (Conway, Paras. [006]-[008], [0033], shows that any dependencies exists in the binary are extracted to generate a reverse SBOM, and supplement the SBOM with the previous missing dependencies (verification against an existing SBOM). Therefore, the inclusion of the missing dependencies are done via reverse SBOM).
Conway is combinable with Jang-Duggan, because all are from the same field of assessing a software. It would have been obvious to a person having ordinary skill in the art before the effective filling date of the invention to include the missing dependencies, as taught by Conway with Jang-Duggan’s method of generating a quality score including weigh for dependencies in order to improve the accuracy and reliability of dependency-based risk scoring by ensuring that those missing dependencies from the original SBOM are included.
As per claims 11 and 12, claims 11 and 12 encompass same or similar scope as claim 1. Therefore, claims 11 and 12 are rejected based on the reasons set forth above in rejecting claim 1.
Regarding claim 2, Jang-Duggan and Conway teach the limitations of claim 1. Jang teaches the limitations of claim 2 as follows:
The method of claim 1, wherein building the knowledge graph includes forming a vector database of the function fingerprints of the software packages, of [the SBOM]; (Jang, Col. 6, ll.8-16, Col. 7, ll. 1-8, 35-59, Col. 8, ll. 45-58, Col. 9, ll. 3-23, Figs. 1-5, Claims1-2, shows that function building block is fingerprinted, and are stored as nodes in the KG. “if it happens that a gene or node is close to a node in software genome knowledge graph (KG) that is considered a bug in knowledge graph, then the target software may be known as a software bug” shows the closeness between fingerprints (i.e., forming a vector database) which shows comparing fingerprints using similarity/closeness as a vector similarity search).
where each function fingerprint is represented as a respective vector embedding. (Jang, Col. 6, ll.8-16, Col. 7, ll. 1-8, 35-59, Col. 8, ll. 45-58, Col. 9, ll. 3-23, Figs. 1-5, Claims1-2, since the system uses similarity search to determine the closeness of fingerprints, therefore, the fingerprints are represented as numerical vectors (i.e., a respective vector embedding)).
As per claim 13, claim 13 encompass same or similar scope as claim 2. Therefore, claim 13 is rejected based on the reasons set forth above in rejecting claim 2.
Regarding claim 3, Jang-Duggan and Conway teach the limitations of claim 1. Jang teaches the limitations of claim 3 as follows:
The method of claim 2, wherein identifying dependencies of the application includes querying the vector database with the function fingerprints of the application to determine software packages having similar function fingerprints. (Jang, Col. 6, ll.8-16, Col. 7, ll. 1-8, 35-59, Col. 8, ll. 45-58, Col. 9, ll. 3-23, Figs. 1-5, Claims1-2, the application is broken down into function fingerprints, then are compared to stored fingerprints (vector similarity search). If an application’s fingerprints matches a fingerprint tied to a package node for example 338, the system identifies that the application depends on that package. The comparison step shows a query into the fingerprint database).
As per claim 14, claim 14 encompass same or similar scope as claim 3. Therefore, claim 14 is rejected based on the reasons set forth above in rejecting claim 3.
Regarding claim 5, Jang-Duggan and Conway teach the limitations of claim 1. Jang teaches the limitations of claim 5 as follows:
The method of claim 1, wherein building the knowledge graph includes identifying components of the software packages and relationships between the components. (Jang, Col. 6, ll.8-16, Col. 7, ll. 1-8, 35-59, Col. 8, ll. 45-58, Col. 9, ll. 3-23, Figs. 1-5, Claims1-2, the knowledge graph includes software components (functions, files, packages, containers, devices). Each functional building blocks of a software package is extracted and represented as a fingerprints which becomes a node in the acknowledge graph. The relationship between components (a target software function and a known buggy function) is identified via the proxies in the graph).
As per claim 16, claim 16 encompass same or similar scope as claim 5. Therefore, claim 16 is rejected based on the reasons set forth above in rejecting claim 5.
Regarding claim 6, J Jang-Duggan and Conway teach the limitations of claim 1. Jang teaches the limitations of claim 6 as follows:
The method of claim 5, wherein the components include functions, files, libraries, packages, and images. (Jang, Col. 5, ll. 20-31, Col. 6, ll. 8-16, 30-41, Col. 7, ll. 1-8, 35-59, Col. 8, ll. 45-58, Col. 9, ll. 3-23, Figs. 1-5, Claims1-2, shows files/executables as being components, packages and libraries are included as nodes. The container images are one of the components).
As per claim 17, claim 17 encompass same or similar scope as claim 6. Therefore, claim 17 is rejected based on the reasons set forth above in rejecting claim 6.
Regarding claim 7, Jang-Duggan and Conway teach the limitations of claim 1. Jang teaches the limitations of claim 7 as follows:
The method of claim 1, wherein the plurality of repositories include [an open source repositories, a package manager], an official websites of a software package, and an internal repository for an organization. (Jang, Col. 5, ll. 20-58, Col. 6, ll. 8-16, 30-41, Col. 7, ll. 17-34, Col. 8, ll. 19-26, Col. 9, ll. 3-23, Col. 15, ll. 44-62, Figs. 1-5, Claims1-2, and step 106, “The system 100 is then able to monitor software at multiple granularities (ranging from binaries, scripts, libraries applications to container images, IoT devices). Therefore, the granularities of the software can be, for example, binaries, scripts, libraries applications to container images, references to IoT devices, etc., extracted from the software”, shows that multiple types of repositories are included, such as, an organization’s internal software inventory (i.e., an internal repository). Organization’s inventory, CVEs, AV, sandbox, dark web, functions, libraries, container images, IOT software are included. Vendor’s official portal are present as a web-base access point for obtaining services related to the software (i.e., an official websites of a software package)).
Jang discloses the plurality of repositories include an internal repository for an organization, but it does not explicitly disclose:
the plurality of repositories include an open source repositories, a package manager,
However, Duggan in the Same field of endeavor discloses:
the plurality of repositories include an open source repositories, a package manager, (Duggan, Paras. [0018], [0027]-[0031], [0099], Open source repositories such as GitHub, package management such as, NuGet and npm, software registries such as Docker Hub, and general repositories are included).
The same motivation to combine utilized in claim 1 is equally applicable in the instant claim.
As per claim 18, claim 18 encompass same or similar scope as claim 7. Therefore, claim 18 is rejected based on the reasons set forth above in rejecting claim 7.
Claims 4 and 15 are rejected under 35 U.S.C. 103 over Jang (US 11,947,956) in view of Duggan (US 2023/0359744), and further in view of Conway (US 2025/0013753), and Paparaju (US 11,443,231).
Regarding claim 4, Jang-Duggan and Conway teach the limitations of claim 1. Paparaju in the same field of endeavor teaches the limitations of claim 4 as follows:
The method of claim 3, wherein identifying dependencies of the application further includes determining similarity between function fingerprints using a cosine similarity metric. (Paparaju, Col. 5, ll. 44-67, Col. 6, ll. 1-7, “the distance between representative vectors can provide information about the similarity between two dependencies. Distances between vectors in the latent vector space can be measured in any of various ways, including as examples, cosine distance or Euclidean distance”, shows that the system identifies and compares dependencies of the application by mapping them into a vector space and then computing the similarities using a cosine similarity metric).
Paparaju is combinable with Jang-Duggan and Conway, because all are from the same field of assessing a software. It would have been obvious to a person having ordinary skill in the art before the effective filling date of the invention to use a cosine similarity metric, as taught by Paparaju with Jang-Duggan-Conway’s method in order to compare the dependencies in a normalized way and enhance the assessment of the software.
As per claim 15, claim 15 encompass same or similar scope as claim 4. Therefore, claim 15 is rejected based on the reasons set forth above in rejecting claim 4.
Claims 9-10 and 20 are rejected under 35 U.S.C. 103 over Jang (US 11,947,956) in view of Duggan (US 2023/0359744), and further in view of Conway (US 2025/0013753), and Wookey (US 2012/0151468).
Regarding claim 9, Jang-Duggan and Conway the limitations of claim 1. Wookey in the same field of endeavor teaches the limitations of claim 9 as follows:
The method of claim 8, wherein generating the quality score includes dividing the combined weight scores by a maximum weight score across a number of dependencies. (Wookey, Paras. [0120]-[0123], [0139]-[0143], teaches how the confidence score for a dependency is calculated. The confidence factor is calculated by summarizing the factor between each dependency and dividing it by the total number of dependencies (average confidence factor for the dependencies is calculated)).
Wookey is combinable with Jang-Duggan and Conway, because all are from the same field of assessing a software. It would have been obvious to a person having ordinary skill in the art before the effective filling date of the invention to calculate a score based on the average weighted scores of the dependencies, as taught by Wookey with Jang-Duggan-Conway’s method in order to adjust the weights for dependencies based on their critical impact on the system.
As per claim 20, claim 20 encompass same or similar scope as claim 9. Therefore, claim 20 is rejected based on the reasons set forth above in rejecting claim 9.
Regarding claim 10, Jang-Duggan and Conway teach the limitations of claim 1. Wookey teaches the limitations of claim 10 as follows:
The method of claim 1, wherein performing the action includes disabling execution of the application responsive to a quality score that is below a predetermined threshold. (Wookey, Paras. [0145]-[0147], teaches if the confidence factor (quality score) is above a threshold, a pre-installation verification is triggered, and if the confidence factor falls below the threshold, then the pre-installation would not occur (i.e., disabling execution)).
Wookey is combinable with Jang-Duggan and Conway, because all are from the same field of assessing a software. It would have been obvious to a person having ordinary skill in the art before the effective filling date of the invention to disable execution of an application when the score is below a threshold, as taught by Wookey with Jang-Duggan-Conway’s method in order to prevent installation that would most likely fail.
Claims 9-10 and 20 are rejected under 35 U.S.C. 103 over Jang (US 11,947,956) in view of Duggan (US 2023/0359744), and further in view of Conway (US 2025/0013753), and Wagner (US 10,564,946).
Regarding claim 21, Jang-Duggan and Conway teach the limitations of claim 1. Wagner teaches the limitations of claim 21 as follows:
The method of claim 1, wherein identifying dependencies includes determining a composition ratio and containment ratio for a package, wherein the composition ratio identifies a percent of the package that used by the application and wherein the containment ratio identifies a percent of the application that is contained within the package. (Wagner, Col. 26, ll. 62-67, Col. 27, Col 28, ll. 1-13, and Col. 29, ll. 19-27, teaches identifying dependencies in code objects, and computing usage/frequency metrics (evaluating frequency of calls), and determining whether calls exceed a threshold percentage (e.g., 80%) (i.e., used, … contained)).
Wagner is combinable with Jang-Duggan and Conway, because all are from the same field of assessing a software. It would have been obvious to a person having ordinary skill in the art before the effective filling date of the invention to identify dependencies with ratio for a package, as taught by Wagner with Jang-Duggan-Conway’s method in order to reduce unnecessary loading.
Regarding claim 22, Jang-Duggan and Conway teach the limitations of claim 1. Wagner teaches the limitations of claim 22 as follows:
The method of claim 1, wherein identifying dependencies includes comparing. (Wagner, Col. 26, ll. 62-67, Col. 27, Col 28, ll. 1-13, and Col. 29, ll. 19-27, teaches evaluating relationships of tasks and dependency objects (i.e., comparing)).
The same motivation to combine utilized in claim 21 is equally applicable in the instant claim.
References Considered But Not Relied Upon
Velur (US 2020/0242254) discloses a method to calculate score including weight for a scope of dependencies (direct vs transitive).
Giraldo (US 2014/0379409) discloses a method of quality analysis, to calculate/generate dependencies score based on weighted evaluation of dependency relationships.
Conclusion
Accordingly, claims 1-7, 9-18, and 20-22 are rejected.
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PEGAH BARZEGAR whose telephone number is (703)756-4755.
The examiner can normally be reached M-F, 9:00 - 5:30. Examiner interviews are available via telephone, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on 571-272-3787. The fax phone number for the Application/Control Number: 17/470,067 Page 17 Art Unit: 2438 organization where this application or proceeding is assigned is 571-273- 8300. Application/Control Number: 17/386,076 Page 25 Art Unit: 2438 Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patentcenter for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272- 1000.
/P.B./Examiner, Art Unit 2438 /TAGHI T ARANI/Supervisory Patent Examiner, Art Unit 2438