Office Action Predictor
Last updated: April 17, 2026
Application No. 18/603,333

Automated Identification Of Vulnerable Software Components

Non-Final OA §101§102§103
Filed
Mar 13, 2024
Examiner
ROBINSON, CHRISTOPHER B
Art Unit
2443
Tech Center
2400 — Computer Networks
Assignee
dynatrace LLC
OA Round
1 (Non-Final)
89%
Grant Probability
Favorable
1-2
OA Rounds
2y 2m
To Grant
96%
With Interview

Examiner Intelligence

Grants 89% — above average
89%
Career Allow Rate
422 granted / 472 resolved
+31.4% vs TC avg
Moderate +6% lift
Without
With
+6.4%
Interview Lift
resolved cases with interview
Typical timeline
2y 2m
Avg Prosecution
27 currently pending
Career history
499
Total Applications
across all art units

Statute-Specific Performance

§101
9.4%
-30.6% vs TC avg
§103
60.0%
+20.0% vs TC avg
§102
18.6%
-21.4% vs TC avg
§112
5.1%
-34.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 472 resolved cases

Office Action

§101 §102 §103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statement (IDS) submitted on 11/27/2024 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Allowable Subject Matter Claim(s) 6, 14, 17-20 is/are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claim(s) 1-21 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract idea without significantly more. The claim(s) recite(s) collecting information (vulnerability database entries, repository text), analyzing information (using a LLM to interpret text) and reporting a result (reporting a component as vulnerable). The limitations include details that aligns with recognized abstract ideas such as data analysis and classification, information extraction and correlation and mental process implemented on a computer. In addition, merely reciting the use of a large language model does not, by itself, remove the claim from abstraction. AL/ML models are treated as tools used to perform the abstract analysis unless it is tied to a specific technical improvement. This judicial exception is not integrated into a practical application because the additional elements of the claim(s) include generic computer component, such as “a computer system”, “vulnerability database”, “a large language model”, “a source code repository” and “software components” are used as generic tools to perform the identification and analysis. Although the specification describes technical improvements to software vulnerability identification, the claim(s) do/does not recite the specific technical improvements or mechanism disclosed in the specification. Instead, the claim simply used a LLM to analyze test and report a result. The courts have repeatedly held that automating known manual processes using a generic computer does not constitute a practical application. The claim(s) do/does not include additional elements that are sufficient to amount to significantly more than the judicial exception because absent of the abstract idea, the remaining elements only include a “large language model” recited functionally, without architectural, training, prompting or inference constraints. No unconventional data structures, processing flows or security mechanism art recited. The method uses conventional sources, such as vulnerability databases and source repositories. Neither the claim nor the specification indicate that these components or operation are unconventional. Rather, they reflect well-understood, routine, and conventional analysis and identification techniques using generic computing components and a large language model. There is no inventive concept that transforms the abstract idea into patent-eligible subject matter. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claim(s) 1, 4-5 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by CHAN et al. (US 2024/0411666 A1). Re Claim 1, CHAN teaches a computer-implemented method for identifying vulnerable software from a computer system, comprising: identifying name of a given software component in a vulnerability database by analyzing text of an entry in the vulnerability database using a large language model, where entries in the vulnerability database have known vulnerabilities; (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; The stated limitation is comparable to the cited embodiment that details the process of identifying source code snippet having a identified type of software vulnerability using a LLM, with a list of known vulnerabilities.) identifying a patch for the given software component in a source code repository by analyzing text of the entry in the vulnerability database using the large language model; (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; Identifying a repair (identifying a patch) for the software components in source code related system, using a LLM.) identifying the patch for the given software component in the source code repository by analyzing text in the source code repository using the large language model; and (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; Identifying a repair (identifying a patch) for the software components in source code related system, using a LLM.) reporting the given software component as being vulnerable in response to identifying the patch for the given software component in the source code repository. (CHAN; FIG. 1-8; Background, Summary, ¶ [0029], [0030]-[0042]; Alerting developers to vulnerabilities associated with the repair (patch) associated with the software component and source code system.) Re Claim 4, CHAN discloses the method of claim 1 further comprises increasing probability that the given software component is vulnerable in response to identifying the patch for the given software component in the source code repository. (CHAN; FIG. 1; ¶ [0016]-[0020], [0053]-[0055]; Identifying repairs related to the likelihood and probability that the software component is vulnerable.) Re Claim 5, CHAN discloses the method of claim 1 further comprises patching for the given software component in response to identifying the patch for the given software component in the source code repository. (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; Identifying a repair (identifying a patch) for the software components in source code related system, using a LLM.) Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 2 is/are rejected under 35 U.S.C. 103 as being unpatentable over CHAN et al. (US 2024/0411666 A1) as applied to claim(s) 1, 4-5 above, and further in view of Dang et al. (US 2022/0108020 A1). Re Claim 2, CHAN discloses the method of claim 1 yet does not explicitly suggest wherein the patch for the given software component is identified by matching the name of the given software component in the vulnerability database to the name of the given software component in the source code repository. However, in analogous art, Dang teaches wherein the patch for the given software component is identified by matching the name of the given software component in the vulnerability database to the name of the given software component in the source code repository. (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair.) It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN in view of Dang to match software for the reasons of creating a system and method for automating the process of application code vulnerability remediation. (Dang Abstract) Re Claim 3, CHAN-Dang discloses the method of claim 2 further comprises: identifying type of vulnerability associated with the given software component by analyzing text in the vulnerability database using the large language model; (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; The stated limitation is comparable to the cited embodiment that details the process of identifying source code snippet having a identified type of software vulnerability using a LLM, with a list of known vulnerabilities.) identifying type of vulnerability associated with the given software component by analyzing text in the source code repository using the large language model; and (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; Identifying a repair (identifying a patch) for the software components in source code related system, using a LLM.) reporting the given software component as being vulnerable in response to the name of the given software component in the vulnerability database matching the name of the given software component in the source code repository, and (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair.) the type of vulnerability associated with the given software component in the vulnerability database matching the type of vulnerability associated with the given software component in the source code repository. (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair, which includes determining the type of vulnerability.) It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN in view of Dang to match software for the reasons of creating a system and method for automating the process of application code vulnerability remediation. (Dang Abstract) Claim(s) 7-8 is/are rejected under 35 U.S.C. 103 as being unpatentable over CHAN et al. (US 2024/0411666 A1) as applied to claim(s) 1, 4-5 above, and further in view of Crabtree et al. (US 2022/0060497 A1). Re Claim 7, CHAN discloses the method of claim 1 yet does not explicitly suggest further comprises: retrieving topology entities from a topology model based on the given software component, where the retrieved topology entities are affected by the vulnerability of the given software component, and the topology model is a graph with nodes in the graph representing topology entities in a distributed computer system and edges of the graph representing relationships between the topology entities; and reporting the retrieved topology entities along with the given software component. However, in analogous art, Crabtree teaches further comprises: retrieving topology entities from a topology model based on the given software component, where the retrieved topology entities are affected by the vulnerability of the given software component, and (Crabtree; FIG. 1-7, 23-26, Summary, ¶ [0081]-[0086], [0112]-[0118], [0123]-[0124]; Topologies, topology based models, software components and vulnerabilities affecting software.) the topology model is a graph with nodes in the graph representing topology entities in a distributed computer system and edges of the graph representing relationships between the topology entities; and (Crabtree; FIG. 1-7, 23-26, Summary, ¶ [0081]-[0083], [0112]-[0118], [0123]-[0131]; Models include graphs with nodes associated with the topology of the computer system and edges of the graph representing relationship between topology related entities.) reporting the retrieved topology entities along with the given software component. (Crabtree; FIG. 1-7, 23-26, Summary, ¶ [0100]-[0103], [0126]; Reporting topology based data.) It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN in view of Crabtree to model topologies of computing systems for the reasons of implementing a cybersecurity analysis system that includes behavioral analysis and network topology information for improved cybersecurity. (Crabtree Abstract) Re Claim 8, CHAN-Crabtree discloses the method of claim 7 further comprises changing the topology of the computer system in response to reporting topology entities as vulnerable such that the level of risk associated with the vulnerability is reduced by changing the topology. (Crabtree; FIG. 1-19; ¶ [0091]-[0093], [0107]-[0119]; The embodiment(s) detail the changing of the level of risk associated with the vulnerability.) It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN in view of Crabtree to model topologies of computing systems for the reasons of implementing a cybersecurity analysis system that includes behavioral analysis and network topology information for improved cybersecurity. (Crabtree Abstract) Claim(s) 9-13, 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over CHAN et al. (US 2024/0411666 A1) and further in view of Dang et al. (US 2022/0108020 A1). Re Claim 9 & 21, CHAN teaches a computer-implemented method for identifying vulnerable software from a computer system, comprising: identifying name of a given software component in a vulnerability database by analyzing text of an entry in the vulnerability database using a large language model, where entries in the vulnerability database have known vulnerabilities; (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; The stated limitation is comparable to the cited embodiment that details the process of identifying source code snippet having a identified type of software vulnerability using a LLM, with a list of known vulnerabilities.) extracting a link to a patch for the given software component in a source code repository by analyzing text of the entry in the vulnerability database using the large language model; (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; Identifying a repair (identifying a patch) for the software components in source code related system, using a LLM.) identifying name of the given software component in the source code repository by analyzing text of the patch in the source code repository using the large language model; (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; Identifying a repair (identifying a patch) for the software components in source code related system, using a LLM.) CHAN does not explicitly suggest comparing name of the given software component in the vulnerability database to the name of the given software component in the source code repository; and reporting the given software component as being vulnerable in response to the name of the given software component in the vulnerability database matching the name of the given software component in the source code repository However, in analogous art, Dang teaches comparing name of the given software component in the vulnerability database to the name of the given software component in the source code repository; and (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair.) reporting the given software component as being vulnerable in response to the name of the given software component in the vulnerability database matching the name of the given software component in the source code repository. (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair.) It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN in view of Dang to match software for the reasons of creating a system and method for automating the process of application code vulnerability remediation. (Dang Abstract) Re Claim 10, CHAN-Dang discloses the method of claim 9 further comprises linking to the patch for the given software component in the source code repository using the link for the patch extracted from the entry in the vulnerability database. (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair.) It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN in view of Dang to match software for the reasons of creating a system and method for automating the process of application code vulnerability remediation. (Dang Abstract) Re Claim 11, CHAN-Dang discloses the method of claim 9 further comprises: identifying type of vulnerability associated with the given software component by analyzing text of the entry in the vulnerability database using the large language model; (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; The stated limitation is comparable to the cited embodiment that details the process of identifying source code snippet having a identified type of software vulnerability using a LLM, with a list of known vulnerabilities.) identifying type of vulnerability associated with the given software component by analyzing source code for the given software component in the source code repository using the large language model, where the source code does not include the patch for the given software component; and (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; The stated limitation is comparable to the cited embodiment that details the process of identifying source code snippet having a identified type of software vulnerability using a LLM, with a list of known vulnerabilities.) reporting the given software component as being vulnerable in response to the name of the given software component in the vulnerability database matching the name of the given software component in the source code repository, and (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair.) the type of vulnerability associated with the given software component in the vulnerability database matching the type of vulnerability associated with the given software component in the source code repository. (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair, which includes determining the type of vulnerability.) It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN in view of Dang to match software for the reasons of creating a system and method for automating the process of application code vulnerability remediation. (Dang Abstract) Re Claim 12, CHAN-Dang discloses the method of claim 9 further comprises increasing probability that the given software component is vulnerable in response to in response to the name of the given software component in the vulnerability database matching the name of the given software component in the source code repository. (CHAN; FIG. 1; ¶ [0016]-[0020], [0053]-[0055]; Identifying repairs related to the likelihood and probability that the software component is vulnerable.) Re Claim 13, CHAN-Dang discloses the method of claim 9 further comprises patching for the given software component in response to in response to the name of the given software component in the vulnerability database matching the name of the given software component in the source code repository. (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair.) It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN in view of Dang to match software for the reasons of creating a system and method for automating the process of application code vulnerability remediation. (Dang Abstract) Claim(s) 15-16 is/are rejected under 35 U.S.C. 103 as being unpatentable over CHAN et al. (US 2024/0411666 A1), in view of Dang et al. (US 2022/0108020 A1) and further in view of Crabtree et al. (US 2022/0060497 A1). Re Claim 13, CHAN-Dang discloses the method of claim 9 yet does not explicitly suggest further comprises: retrieving topology entities from a topology model based on the given software component, where the retrieved topology entities are affected by the vulnerability of the given software component, and the topology model is a graph with nodes in the graph representing topology entities in a distributed computer system and edges of the graph representing relationships between the topology entities; and reporting the retrieved topology entities along with the given software component. However, in analogous art, Crabtree teaches further comprises: retrieving topology entities from a topology model based on the given software component, where the retrieved topology entities are affected by the vulnerability of the given software component, and (Crabtree; FIG. 1-7, 23-26, Summary, ¶ [0081]-[0086], [0112]-[0118], [0123]-[0124]; Topologies, topology based models, software components and vulnerabilities affecting software.) the topology model is a graph with nodes in the graph representing topology entities in a distributed computer system and edges of the graph representing relationships between the topology entities; and (Crabtree; FIG. 1-7, 23-26, Summary, ¶ [0081]-[0083], [0112]-[0118], [0123]-[0131]; Models include graphs with nodes associated with the topology of the computer system and edges of the graph representing relationship between topology related entities.) reporting the retrieved topology entities along with the given software component. (Crabtree; FIG. 1-7, 23-26, Summary, ¶ [0100]-[0103], [0126]; Reporting topology based data.) It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN-Dang in view of Crabtree to model topologies of computing systems for the reasons of implementing a cybersecurity analysis system that includes behavioral analysis and network topology information for improved cybersecurity. (Crabtree Abstract) Re Claim 16, Chang-Dang-Crabtree discloses the method of claim 15 further comprises changing the topology of the computer system in response to reporting topology entities as vulnerable such that the level of risk associated with the vulnerability is reduced by changing the topology. (Crabtree; FIG. 1-19; ¶ [0091]-[0093], [0107]-[0119]; The embodiment(s) detail the changing of the level of risk associated with the vulnerability.) It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN-Dang in view of Crabtree to model topologies of computing systems for the reasons of implementing a cybersecurity analysis system that includes behavioral analysis and network topology information for improved cybersecurity. (Crabtree Abstract) Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER B ROBINSON whose telephone number is (571)270-0702. The examiner can normally be reached M-F 7:00-3:00 EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas R Taylor can be reached at 571-272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CHRISTOPHER B ROBINSON/Primary Examiner, Art Unit 2443
Read full office action

Prosecution Timeline

Mar 13, 2024
Application Filed
Feb 10, 2026
Non-Final Rejection — §101, §102, §103
Mar 23, 2026
Response Filed

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12604193
AUTOMATIC SWITCHING METHOD FOR INTRUSION DETECTION FUNCTION AND WIRELESS DETECTION SYSTEM CAPABLE OF AUTOMATICALLY SWITCHING INTRUSION DETECTION FUNCTION TRANSCEIVER
2y 5m to grant Granted Apr 14, 2026
Patent 12598084
External Authentication Method, Communication Apparatus, and Communication System
2y 5m to grant Granted Apr 07, 2026
Patent 12596835
PERSONAL FEATURE INFORMATION SECURITY ASSURANCE SYSTEM
2y 5m to grant Granted Apr 07, 2026
Patent 12598203
ANALYZING AND RECOMMENDING ROGUE CLASSIFICATION POLICIES FOR A COMMUNICATION NETWORK
2y 5m to grant Granted Apr 07, 2026
Patent 12593217
SYSTEMS AND METHODS FOR MANAGING APPLICATION AUTHENTICATION IN A WIRELESS NETWORK
2y 5m to grant Granted Mar 31, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

1-2
Expected OA Rounds
89%
Grant Probability
96%
With Interview (+6.4%)
2y 2m
Median Time to Grant
Low
PTA Risk
Based on 472 resolved cases by this examiner. Grant probability derived from career allow rate.

Sign in for Full Analysis

Enter your email to receive a magic link. No password needed.

Free tier: 3 strategy analyses per month