DETAILED ACTION
This action is responsive to amendment filed on December 24th, 2025.
Claims 1~4, 6~12, and 14~20 are examined.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments with respect to claim(s) 1~4, 6~12, and 14~20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1, 2, 6~10, and 14~18 are rejected under 35 U.S.C. 103 as being unpatentable over Castrejon, III et al. hereinafter Castrejon (U.S 2023/0315439) in view of Fedorenko et al. hereinafter Fedorenko (U.S 2014/0244679).
Regarding Claim 1,
Castrejon taught a system comprising:
scanning, by a computing device, a software application during execution of the software application on a server that is remote from the computing device to determine application attributes [¶64, known component scanning parameters may include controls capable of identifying elements associated with each of the components. The elements may refer to structural configurations of each component, such as package managers, manifest files, source code, binary files, containers, packages, artifacts, and/or software libraries]:
fingerprinting, by the computing device, the software application based on the application attributes in order to determine a component application of the software application [¶65, determining component scanning parameters, i.e., controls that are capable of identifying various elements of each component, including various software libraries or any suite of code that is used to make up the component];
utilizing, by the computing device, a database of open source software structural information to determine one or more subcomponent applications of the component application [¶28, entities have a record of the type of applications being used within the computing environment. When a new application is introduced into the computing environment, i.e., a new application is to be onboarded, most entities require a complete list of all software components of the application, including any third-party open source libraries, vendor provided packages, and first-party artifacts.];
generating, by the computing device, a software intelligence document indicating the component application and the one or more subcomponent applications in a standardized software intelligence document format [¶67, building a software bill of materials (SBOM) for the first application based on at least the one or more components]; and
performing one or more actions related to computing security based on the software intelligence document [¶69, each software vulnerability may be associated with either a remedial or mitigation action. Based on the vulnerability identified, the system may be configured to retrieve, from a first repository, one or more remedial/mitigation actions for vulnerability; ¶67, vulnerability scanning the SBOM].
Castrejon did not specifically teach determine an identifier of a component application of the software application and determine one or more subcomponent applications of the component application comprises searching the database for the identifier of the component application.
Fedorenko taught determine an identifier of a component application of the software application [¶127, identifying information that indicates the source of the known component]; and
determine one or more subcomponent applications of the component application comprises searching the database for the identifier of the component application [¶112, the library/data set of known fingerprints of known components can be stored using conventional techniques, such as in a database; ¶132; ¶137].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention was made, to combine, Fedorenko’s teaching of limitations with the teachings of Castrejon, because the combination uniquely identifies a component and allows its dependencies and relationship to other components to be tracked [¶137].
Regarding Claim 2,
Castrejon taught wherein the scanning of the software application during execution of the software application on the server that is remote from the computing device to determine the application attributes comprises collecting one or more of: a network address; an open port; a domain name system (DNS) name; a name, version, or common platform enumeration (CPE) of a given component application; externally available application source code of the software application; or an application path or universal resource locator (URL) [¶29, component scanning parameters include controls capable of identifying elements [of] each component. Elements may refer to structural configurations of each component, such as package managers, manifest files, source code, binary files, containers, packages, artifacts, and/or software libraries].
Regarding Claim 6,
Castrejon taught wherein the fingerprinting of the software application based on the application attributes further comprises determining a version of the component application based on the application attributes [¶28, maintaining an up-to-date SBOM format compliant software bill of materials is crucial to also keep up with rapid software development, in which components and their versions are swiftly changing; ¶68].
Regarding Claim 7,
Castrejon taught wherein the generating of the software intelligence document indicating the component application and the one or more subcomponent applications in the standardized software intelligence document format comprises automatically generating a software bill of materials (SBOM) document for the software application [¶67, building a software bill of materials (SBOM) for the first application].
Regarding Claim 8,
Castrejon taught wherein the performing of the one or more actions related to computing security based on the software intelligence document comprises one or more of: providing the software intelligence document as an input to a software tool that performs computing security monitoring, analysis, or prevention operations; or providing the software intelligence document for display via a display device [¶69, Based on the vulnerability identified, the system may be configured to retrieve, from a first repository, one or more remedial/mitigation actions for vulnerability. In response, the system may be configured to automatically execute, using the application ingestion subsystem, the one or more remedial/mitigation actions].
Regarding Claims 9, 10, and 14~18, the claims are similar in scope to claims 1, 2, and 6~8 respectively and therefore, rejected under the same rationale.
Claims 3, 4, 11, 12, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Castrejon and Fedorenko in view of Brucker et al. hereinafter Brucker (U.S 2017/0169229).
Regarding Claim 3,
Castrejon-Fedorenko-Brucker taught wherein the fingerprinting of the software application based on the application attributes in order to determine the component application of the software application comprises: sending a request to the software application to perform particular functionality; determining a particular application attribute based on the software application performing the particular functionality; and determining that the particular application attribute corresponds to the component application [¶50, provide information about application components based on the actual runtime configuration of an application].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention was made, to combine, Brucker’s teaching of limitations with the teachings of Castrejon and Fedorenko, because the combination would generate an accurate SBOM for an application during onboarding followed by an automated vulnerability scanning engine capable of identifying vulnerabilities in the components identified in the SBOM [¶28].
Regarding Claim 4,
Castrejon-Fedorenko-Brucker taught wherein the fingerprinting of the software application based on the application attributes in order to determine the component application of the software application comprises identifying a dependency of the software application on a web server, web framework, analytics framework, package, module, or plugin that is indicated in the application attributes [¶7, static dependencies; ¶9 run-time dependencies]. The rationale to combine as discussed in claim 3, applies here as well.
Regarding Claims 11, 12, 19, and 20, the claims are similar in scope to claims 3 and 4 respectively and therefore, rejected under the same rationale.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HEE SOO KIM whose telephone number is (571)270-3229. The examiner can normally be reached M-F 9AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas Taylor can be reached on (571) 272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/HEE SOO KIM/Primary Examiner, Art Unit 2443
Prosecution Insights