DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
This office action is in response to amendment/reconsideration filed on 01/23/2026, the amendment/reconsideration has been considered. Claims 1, 9 and 13 have been amended. Claims 1-20 are pending for examination in the instant application.
Response to Arguments
Applicant’s arguments with respect to the amended claim(s) have been considered but are not persuasive.
Applicant improperly requires “Vel” to disclose the claim limitation verbatim
Applicant argues that Ve “merely maps” third-party libraries to URIs and does not disclose:
“generating a first code database for the cloned patched version … and a second code database for the cloned current version…”
Applicant’s argument is not commensurate with the scope of the claim. The claim does not require any particular data structure, schema, or database technology. The claim merely requires generating a code database for two versions of a library. Under the BRI and consistent with the specification, a “code database” reasonably encompasses any stored representation of a code sufficient to support comparison, including:
Dependency mappings
Version-specific code information
Metadata extracted from code
Structured representations of code content
Vel teaches these elements.
Vel explicitly teaches generating structured code representations of multiple versions
Applicant cites only a portion of Vel, [0024], but the paragraph must be read in full context. In [0024] Vel discloses:
Obtaining third-party libraries
Mapping them to source URIs
Linking them to patches, release notes, version
Determining whether newer versions exist
Determining backward compatibility between versions
This necessarily requires analyzing and storing version version-specific code information for both the current and updated (Patched) versions.
Vel further teaches in Fig.3A:
“Generate list of third-party libraries that have changes” (step-308)
“determining backward compatibility between current and new version” (Step-314)
To perform these steps , Vel must generate separate internal representations of:
The current version
The updated /patched version
These internal representations constitute the claimed first code database and second code database under BRI.
Brezo reinforces the teachings of version-specific code databases
Applicant asserts that Brezo does not remedy Vel’s alleged deficiencies. Examiner respectfully disagree because Brezo explicitly teaches:
Downloading a software extension
Decompressing it
Storing previous versions in a local database
Comparing the new version to previously-stored versions
Identifying changes between versions (Brezo, [0013], [0022])
Brezo’s “local database” of previously downloaded versions is a code database under BRI.
It’s comparison module necessarily operates on two separate stored code representation, satisfying the claimed dual-database requirement.
Thus Brezo directly supports the missing element even if Vel were considered insufficient alone.
Therefore, a POSITA would have found it obvious to combine Vel’s vulnerability-focused version analysis with Brezo’s explicit multi-version code storage and comparison to improve automated vulnerability assessment.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-5, 8-16, and 19- 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Velur et al. (Pub. No.: US 2020/0242254 A1), hereinafter “Vel” in view of Brezo et al. (Pub. No.: US 2020/0104483 A1), hereinafter “Brez”.
As to claim 1. Velur discloses, a method of performing automated, tailored vulnerability impact assessments (Vel, [0003], vulnerability management for modern applications), the method comprising:
retrieving a targeted third-party library repository including both a patched version and a current version (Vel, [0003], third party libraries, and the risk score of the API can be compared to a threshold risk value. A remedial action can be taken for each afflicted library called by the API in response to the risk score exceeding the threshold risk value.);
cloning the patched version of the targeted third-party library repository and the current version of the targeted third-party library repository into a local storage (Vel, [0077], a local repository of known “common vulnerabilities and exposures” CVEs can be created within the memory 608 to reduce processing time when generating a list of affected dependencies and microservices. Vel further explains the backward compatibility of old versions see [0085] hence, the database copies or saves the older versions.);
generating a first code database for the cloned patched version related to the targeted third-party library repository and a second code database for the cloned current version related to the targeted third-party library repository (Vel, [0024], Open-source third-party libraries can then be mapped to their corresponding source Uniform Resource Identifiers (“URIs”). This allows the invention to map the multiservice dependencies within APIs and link the libraries to publicly known information (e.g., patches, release notes, versions, or other information related to control of CVEs).
Vel however is silent to disclose explicitly, comparing the first code database with the second code database to identify differences;
generating an impact result based on the identified differences; and
transmitting an alert to a user including information about affected functions for the patched version of the targeted third-party library repository, based on the impact result.
Brez discloses a similar concept in the same field of endeavor including, comparing the first code database with the second code database to identify differences (Brez, [0013], comparing said software extension with previously-stored versions can comprise identifying the changes of the software extension.);
generating an impact result based on the identified differences (Brez, [0013], finding patterns or other warning signals among the changes of the obtained software extensions and previous versions stored in the local database.);
transmitting an alert to a user including information about affected functions for the patched version of the targeted third-party library repository, based on the impact result (Brez, [0010], the risk index can be e.g. a user warning to be displayed in a user's interface or any other type of graphic indicator that could comprise text, numbers and/or multimedia content. Software extensions as e.g. web browser, text editors or messaging systems can apply to the proposed solution.).
Therefore, before the effective filing date of the instant application it would have been obvious to one of the ordinary skilled in the art to incorporate the teachings of “Brez” into those of “Vel” to provide a computer implemented method for analysis of a software extension for installation and execution in a computing system, the method comprising obtaining a software extension from a marketplace, analyzing contents of the obtained software extension and computing a risk index based on the analyzed software extension and on information related to previously-downloaded software extensions stored in a local database, as well as related to previously detected malware.
As to claim 2. The combined system of Vel and Brez discloses the invention as in parent claim above including, wherein the patched version includes modifications made to the current version (Vel, [0030], updates to the third-party library 106 are manual, such that a manager or programmer of the application 102 or the microservice 104 can choose which versions of the third-party library 106 to implement and when.).
As to claim 3. The combined system of Vel and Brez discloses the invention as in parent claim above including, further comprising separating the identified differences into a first group that includes those identified differences involving one or more of a comment modification, change-line modification, and variable name modification, and a second group including any identified differences that are unassigned to the first group (Vel, [0024], This allows the invention to map the multiservice dependencies within APIs and link the libraries to publicly known information (e.g., patches, release notes, versions, or other information related to control of CVEs). A web crawler can be used to search through the mapped uniform resource identifiers (“URIs”) to determine which libraries have newer versions with updates, and therefore may include a potential CVE. Additionally, it is intended use to make save data into various tables, list, group or categories to produce intended output).
As to claim 4. The combined system of Vel and Brez discloses the invention as in parent claim above including, further comprising classifying each of the differences in the first group as non-substantive or no impact (Vel, [0003], The risk score of the API can be compared to a threshold risk value. A remedial action can be taken for each afflicted library).
As to claim 5. The combined system of Vel and Brez discloses the invention as in parent claim above including, further comprising classifying each of the differences in the second group as substantive or impact (Vel, [0024], This allows the invention to map the multiservice dependencies within APIs and link the libraries to publicly known information (e.g., patches, release notes, versions, or other information related to control of CVEs). A web crawler can be used to search through the mapped uniform resource identifiers (“URIs”) to determine which libraries have newer versions with updates, and therefore may include a potential CVE. Additionally, it is intended use to make save data into various tables, list, group or categories to produce intended output).
As to claim 8. The combined system of Vel and Brez discloses the invention as in parent claim above including, further comprising providing a user interface that allows an end-user to manage upgrades of the affected functions based on the impact result (Vel, [0003], A code call can be made by an application program interface (“API”) of the application of the software package, and wherein the code calls are made to code within each library of the one or more afflicted libraries. A risk score can be assigned to the API based on the number of code calls. The risk score of the API can be compared to a threshold risk value. A remedial action can be taken for each afflicted library called by the API in response to the risk score exceeding the threshold risk value.).
As to claim 9. A non-transitory computer-readable medium storing software comprising instructions executable by one or more computers which, upon such execution, cause the one or more computers to perform automated, tailored vulnerability impact assessments (Vel, [0004], vulnerability management for modern applications) by:
retrieving a targeted third-party library repository including both a patched version and a current version (Vel, [0003], third party libraries, and the risk score of the API can be compared to a threshold risk value. A remedial action can be taken for each afflicted library called by the API in response to the risk score exceeding the threshold risk value.);
cloning the patched version of the targeted third-party library repository and the current version of the targeted third-party library repository into a local storage (Vel, [0077], a local repository of known “common vulnerabilities and exposures” CVEs can be created within the memory 608 to reduce processing time when generating a list of affected dependencies and microservices. Vel further explains the backward compatibility of old versions see [0085] hence, the database copies or saves the older versions.);
generating a first code database for the cloned patched version related to the targeted third-party library repository and a second code database for the cloned current version related to the targeted third-party library repository (Vel, [0024], Open-source third-party libraries can then be mapped to their corresponding source Uniform Resource Identifiers (“URIs”). This allows the invention to map the multiservice dependencies within APIs and link the libraries to publicly known information (e.g., patches, release notes, versions, or other information related to control of CVEs).
Vel however is silent to disclose explicitly, comparing the first code database with the second code database to identify differences;
generating an impact result based on the identified differences; and
transmitting an alert to a user including information about affected functions for the patched version of the targeted third-party library repository, based on the impact result.
comparing the first code database with the second code database to identify differences (Brez, [0013], comparing said software extension with previously-stored versions can comprise identifying the changes of the software extension.);
generating an impact result based on the identified differences (Brez, [0013], finding patterns or other warning signals among the changes of the obtained software extensions and previous versions stored in the local database.); and
transmitting an alert to a user including information about affected functions for the patched version of the targeted third-party library repository, based on the impact result (Brez, [0010], the risk index can be e.g. a user warning to be displayed in a user's interface or any other type of graphic indicator that could comprise text, numbers and/or multimedia content. Software extensions as e.g. web browser, text editors or messaging systems can apply to the proposed solution.).
Therefore, before the effective filing date of the instant application it would have been obvious to one of the ordinary skilled in the art to incorporate the teachings of “Brez” into those of “Vel” to provide a computer implemented method for analysis of a software extension for installation and execution in a computing system, the method comprising obtaining a software extension from a marketplace, analyzing contents of the obtained software extension and computing a risk index based on the analyzed software extension and on information related to previously-downloaded software extensions stored in a local database, as well as related to previously detected malware.
As to claim 10. The combined system of Vel and Brez discloses the invention as in parent claim above including, wherein the patched version includes modifications made to the current version (Vel, [0030], updates to the third-party library 106 are manual, such that a manager or programmer of the application 102 or the microservice 104 can choose which versions of the third-party library 106 to implement and when.).
As to claim 11. The combined system of Vel and Brez discloses the invention as in parent claim above including, wherein the instructions further cause the one or more computers to separate the identified differences into a first group that includes those identified differences involving one or more of a comment modification, change-line modification, and variable name modification, and a second group including any identified differences that are unassigned to the first group (Vel, [0024], This allows the invention to map the multiservice dependencies within APIs and link the libraries to publicly known information (e.g., patches, release notes, versions, or other information related to control of CVEs). A web crawler can be used to search through the mapped uniform resource identifiers (“URIs”) to determine which libraries have newer versions with updates, and therefore may include a potential CVE. Additionally, it is intended use to make save data into various tables, list, group or categories to produce intended output).
As to claim 12 is rejected for same rationale as applied to claims 4 and 5 above.
As to claim 13, A system for performing automated, tailored vulnerability impact assessments (Vel, [0003], vulnerability management for modern applications) comprising one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to:
retrieve a targeted third-party library repository including both a patched version and a current version (Vel, [0003], third party libraries, and the risk score of the API can be compared to a threshold risk value. A remedial action can be taken for each afflicted library called by the API in response to the risk score exceeding the threshold risk value.);
clone the patched version the targeted third-party library repository and the current version the targeted third-party library repository into a local storage (Vel, [0077], a local repository of known “common vulnerabilities and exposures” CVEs can be created within the memory 608 to reduce processing time when generating a list of affected dependencies and microservices. Vel further explains the backward compatibility of old versions see [0085] hence, the database copies or saves the older versions.);
generate a first code database for the cloned patched version related to the targeted third-party library repository and a second code database for the cloned current version related to the targeted third-party library repository (Vel, [0024], Open-source third-party libraries can then be mapped to their corresponding source Uniform Resource Identifiers (“URIs”). This allows the invention to map the multiservice dependencies within APIs and link the libraries to publicly known information (e.g., patches, release notes, versions, or other information related to control of CVEs);
Vel however is silent to disclose explicitly, comparing the first code database with the second code database to identify differences;
generating an impact result based on the identified differences; and
transmitting an alert to a user including information about affected functions for the patched version of the targeted third-party library repository, based on the impact result.
comparing the first code database with the second code database to identify differences (Brez, [0013], comparing said software extension with previously-stored versions can comprise identifying the changes of the software extension.);
generating an impact result based on the identified differences (Brez, [0013], finding patterns or other warning signals among the changes of the obtained software extensions and previous versions stored in the local database.); and
transmitting an alert to a user including information about affected functions for the patched version of the targeted third-party library repository, based on the impact result (Brez, [0010], the risk index can be e.g. a user warning to be displayed in a user's interface or any other type of graphic indicator that could comprise text, numbers and/or multimedia content. Software extensions as e.g. web browser, text editors or messaging systems can apply to the proposed solution.).
Therefore, before the effective filing date of the instant application it would have been obvious to one of the ordinary skilled in the art to incorporate the teachings of “Brez” into those of “Vel” to provide a computer implemented method for analysis of a software extension for installation and execution in a computing system, the method comprising obtaining a software extension from a marketplace, analyzing contents of the obtained software extension and computing a risk index based on the analyzed software extension and on information related to previously-downloaded software extensions stored in a local database, as well as related to previously detected malware.
As to claim 14. The combined system of Vel and Brez discloses the invention as in parent claim above including, wherein the instructions further cause the one or more computers to separate the identified differences into a first group that includes those identified differences involving one or more of a comment modification, change-line modification, and variable name modification, and a second group including any identified differences that are unassigned to the first group (Vel, [0024], This allows the invention to map the multiservice dependencies within APIs and link the libraries to publicly known information (e.g., patches, release notes, versions, or other information related to control of CVEs). A web crawler can be used to search through the mapped uniform resource identifiers (“URIs”) to determine which libraries have newer versions with updates, and therefore may include a potential CVE. Additionally, it is intended use to make save data into various tables, list, group or categories to produce intended output).
As to claim 15. The combined system of Vel and Brez discloses the invention as in parent claim above including, wherein the instructions further cause the one or more computers to classify each of the differences in the first group as non-substantive or no impact (Vel, [0003], The risk score of the API can be compared to a threshold risk value. A remedial action can be taken for each afflicted library).
As to claim 16. The combined system of Vel and Brez discloses the invention as in parent claim above including, wherein the instructions further cause the one or more computers to classify each of the differences in the second group as substantive or impact (Vel, [0024], This allows the invention to map the multiservice dependencies within APIs and link the libraries to publicly known information (e.g., patches, release notes, versions, or other information related to control of CVEs). A web crawler can be used to search through the mapped uniform resource identifiers (“URIs”) to determine which libraries have newer versions with updates, and therefore may include a potential CVE. Additionally, it is intended use to make save data into various tables, list, group or categories to produce intended output).
As to claim 19. The combined system of Vel and Brez discloses the invention as in parent claim above including, wherein the instructions further cause the one or more computers to provide a user interface that allows an end-user to manage upgrades of the affected functions based on the impact result (Vel, [0003], A code call can be made by an application program interface (“API”) of the application of the software package, and wherein the code calls are made to code within each library of the one or more afflicted libraries. A risk score can be assigned to the API based on the number of code calls. The risk score of the API can be compared to a threshold risk value. A remedial action can be taken for each afflicted library called by the API in response to the risk score exceeding the threshold risk value.).
As to claim 20. The combined system of Vel and Brez discloses the invention as in parent claim above including, wherein the patched version includes modifications made to the current version (Vel, [0030], updates to the third-party library 106 are manual, such that a manager or programmer of the application 102 or the microservice 104 can choose which versions of the third-party library 106 to implement and when.).
Claim(s) 6-7 and 17-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Velur et al. (Pub. No.: US 2020/0242254 A1), hereinafter “Vel” in view of Brezo et al. (Pub. No.: US 2020/0104483 A1), hereinafter “Brez” and further in view of Moaz et al. (CDDiff: Semantic Differencing for Class diagrams), hereinafter “Moaz”.
As to claim 6. The combined system of Vel and Brez discloses the invention as in parent claim above. Vel and Brez however are silent to disclose explicitly, wherein differences classified as substantive include differences based on a removal of a function or class, changes in parameters, or control logic changes.
Moaz discloses a similar concept in the same field of endeavor including, wherein differences classified as substantive include differences based on a removal of a function or class, changes in parameters, or control logic changes (Moaz, section-4.2, describes the class diagram model that prove a feature e.g. class or class capability is present in one version and not in another i.e., removals/additions of classes or functions are captured as semantic / substantive differences.).
Therefore, before the effective filing date of the instant application it would have been obvious to one of the ordinary skilled in the art to incorporate the teachings of “Moaz” into those of “Vel and Brez” to provide class diagrams (CDs), which specify classes and the relationships between them, are widely used for modeling the structure of object-oriented systems. As models, programs, and systems evolve over time, during the development lifecycle and beyond it, effective change management is a major challenge in software development.
As to claim 7. The combined system of Vel, Brez and Moaz discloses the invention as in parent claim above including, wherein the impact result is further based on the classification of each difference as either substantive or non-substantive (Moaz, Section: introduction and 4.2, removals/additions of classes or functions are captured as semantic / substantive differences.).
As to claim 17, is rejected for same rationale as applied to claim 6 above.
As to claim 18, is rejected for same rationale as applied to claim 7 above.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Please see the attached PTO-892.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TAUQIR HUSSAIN whose telephone number is (571)270-1247. The examiner can normally be reached M-F 7:00 - 8:00 with IFP.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian J Gillis can be reached at 571 272-7952. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Tauqir Hussain/Primary Examiner, Art Unit 2446