DETAILED ACTION
1. Claims 1-18 are pending in this examination.
Notice of Pre-AIA or AIA Status
2. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
3. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC § 103
4.1. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
4.2. Claims 1, 3, 9-10, 12, 18 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent Application No. 20200117807 to Nadgowda et al (“Nadgowda”) in view of US Patent No. 8336030 issued to Boissy et al (“Boissy”).
Independent Claims 1 and 10
As per claims 1 and 10, Nadgowda discloses a method/non-transitory computer-readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for analyzing software build changes, the operations comprising: accessing first executable code associated with a first version, accessing second executable code associated with a second version ([0004], The system receives a report associating a first version of a software package … The system receives the first version and the second version of the software package, also see [0018], report identifies a first version 112 of a package “PkgX” … report also identifies a second version 114 of the package, [0019], Vulnerability detector 126 are modules of software instructions being executed by one or more processing units (e.g., a processor) of a computing device [0030], code),
determining a code delta between the first executable code and the second executable code, the code delta being based on a change of at least one first element of code in the first executable code to at least one second element of code in the second executable code ([0004], identifies a changed (delta) file in the first version
of the software package that is different than a corresponding file in the second
version of the software package. The system identifies a file in an application container that matches the identified changed file in the first version of the software package, [0037] To identify the changed file, the system 100 compares the first version of the software package with the second version. In some embodiments, the system 100 extracts files from the first and second versions of the package respectively into a target system state and fixed system state and compares the two system states to identify any changed files. In some embodiments, the system 100 generates and compares file signatures of the first
version with file signatures of the second version to identify any changed files)
determining a software vulnerability associated with at least one of the at least one first element of code or the at least one second element of code ([0004], The system associates the identified file with the vulnerability).
Nadgowda does not explicitly disclose however in the same field of endeavor, Boissy discloses generating a report including a pairing of an indicator of the software vulnerability with an indicator of at least one of the at least one first element of code or the at least one second element of code (col. 6, lines 42-60, The errors identified in the received versions of the code, including the type or category of error and the location of the identified error within the respective code, may be stored in memory, such as in main memory 104 (fig. 1), by the code verification engine 202, as indicated at block 308. … The interactive presentation engine 206 may access the violations or errors identified in the received versions of the code, and generate one or more interactive, comparative analysis reports. In an embodiment, an analysis report may present the identified violations or errors in terms of the programming entities or elements that form the received code, as indicated at block 310. The interactive presentation engine 206 may present the analysis reports to the user, as also indicated at block 310. For example, the interactive presentation engine 206 may display the reports on the display 120 (fig. 1).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Nadgowda with the teaching of Boissy by including the feature of indicator, in order for Nadgowda’s system to quickly see whether the number of coding violations or errors in the code being developed is being reduced as subsequent versions are created. the errors or violations identified in each version of the received code may be presented side-by-side so that a user may make a direct comparison of the errors that exist in each version of the received code. That is, an advantage of the present invention is that it permits a user to quickly see whether the number of coding violations or errors in the code being developed is being reduced as subsequent versions are created. Likewise, a user can see whether the number of coding violations or errors is increasing. A user, such as a project manager, can thus confirm that coding violations are being resolved, or quickly take action to address a rise in coding violations (Boissy, col. 8, lines 25-35).
As per claim 3, the combination of Nadgowda and Boissy discloses the non-transitory computer-readable medium of claim 1, wherein the report includes multiple pairings of software vulnerability indicators with element-of-code changes between the first executable code and the second executable code (Boissy, col. 11, lines 4-15, the types of errors and their severity as identified in each version of the received code may be presented side-by-side so that a user, such as the project manager, may make a direct comparison of the types or categories of errors or violations that exist in each version of the received code, and their severity level. Thus, tabbed region 404, like tabbed region 402 (FIG. 4), also permits the project manager to quickly see whether progress is being made in reducing the number of coding violations or errors in the code being developed. Likewise, the project manager can see whether the number of coding violations or errors is actually increasing. The project manager can thus confirm that coding violations are being resolved, or in the alternative take action to address a rise in coding violations). The motivation regarding the obviousness of claim 1 is also applied to claim 3.
As per claim 9, the combination of Nadgowda, Boissy and Siman discloses the non-transitory computer-readable medium of claim 1, wherein: determining a software vulnerability associated with at least one of the at least one first element of code or the at least one second element of code comprises determining a symbol associated with at least one of the at least one first element of code or the at least one second element of code; and the indicator included in the report includes the determined symbol (Boissy, col. 2, lines 52-60, col. 12, lines 58-65). The motivation regarding the obviousness of claim 1 is also applied to claim 9.
Claims 12, is rejected for similar reasons as stated above, and claim 3.
Claims 18, is rejected for similar reasons as stated above, and claim 9.
4.3. Claims 2, 4-8, 11, and 13-17 are rejected under 35 U.S.C. 103 as being unpatentable over Nadgowda and Boissy as applied to claim above, and in view of US Patent No. 11170113 issued to Siman et al (“Siman”).
As per claim 2, the combination of Nadgowda and Boissy discloses the invention as described above. Nadgowda and Boissy do not explicitly disclose however, In the same field of endeavor, Siman discloses the non-transitory computer-readable medium of claim 1, wherein the paired indicator of the software vulnerability with the indicator of at least one of the at least one first element of code or the at least one second element of code are associated with a time and a software developer associated with introducing the software vulnerability (Siman , col. 11, lines 1-10, tracking area 84 shows an Open Redirect vulnerability, with location and path parameters listed in a request parameters block 86. In FIG. 3A, this vulnerability has been identified for the first time (on Dec. 26, 2016) and is marked with a “new” flag 88. The same vulnerability was found to recur in a later execution of the program, as shown in FIG. 3B, and therefore flag 88 is now marked “recurrent.” Finally, the vulnerability was no longer found in the program version executed on December 28, and flag 88 is therefore marked “resolved” in FIG. 3C.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Nadgowda with the teaching of Boissy/Siman by including the feature of a time r, in order for Nadgowda’s system to protecting against security vulnerabilities in computer programs, and particularly to methods, systems and software for testing application security. A method for testing a software application program (22) includes storing in a vulnerability database records of security vulnerabilities identified in execution of the program. Each record includes a location field containing a respective signature indicative of a location in the execution at which a corresponding security vulnerability was detected and a metadata field indicative of a respective control flow path on which the corresponding security vulnerability occurred. Upon detecting a further security vulnerability at a given location in a subsequent execution of the program, a new signature of the given location is computed and compared to the location field of the records in the database. When no record is found to match the new signature, an indication is output to a developer of the program of an occurrence of a new security vulnerability (Siman, abstract).
As per claim 4, the combination of Nadgowda, Boissy and Siman discloses the non-transitory computer-readable medium of claim 3, wherein the pairings are associated with multiple descriptor parameters (Siman, col. 11, lines 1-10,). The motivation regarding the obviousness of claim 2 is also applied to claim 4.
As per claim 5, the combination of Nadgowda, Boissy and Siman discloses the non-transitory computer-readable medium of claim 4, wherein the report is filterable by at least one of the descriptor parameters (Boissy, col. 2, lines 52-67 report, moreover, may organize the specified violations in terms of their severity. The severity may be visually represented to the user, for example, by using color coding. In an embodiment, the following color scheme may be used: red may indicate coding violations, orange may indicate code portions for which the lack or presence of violations has not been determined with certainty, gray may represent unexamined code, and green may indicated code that passes the analysis, also see, col. 8, lines 35-60, fig.4 and associated text,). The motivation regarding the obviousness of claim 1 is also applied to claim 5.
As per claim 6, the combination of Nadgowda, Boissy and Siman discloses the non-transitory computer-readable medium of claim 4, wherein the report is orderable by at least one of the descriptor parameters (Boissy, col. 2, lines 52-67; col. 8, lines 35-60). The motivation regarding the obviousness of claim 1 is also applied to claim 6.
As per claim 7, the combination of Nadgowda, Boissy and Siman discloses the non-transitory computer-readable medium of claim 4, wherein the descriptor parameters include at least one of a file name, a build identifier, a version identifier, a commit identifier, a developer name, a date, a time, a symbol identifier, or a 3rd-party package identifier (Boissy, col. 2, lines 52-67; col. 7, lines 10-30). The motivation regarding the obviousness of claim 1 is also applied to claim 7.
As per claim 8, the combination of Nadgowda, Boissy and Siman discloses the non-transitory computer-readable medium of claim 1, wherein: determining a code delta between the first executable code and the second executable code comprises determining at least one of a symbol or a 3rd-party package added or removed in the second executable code relative to the first executable code; and the report includes an indication of the at least one of a symbol or a 3rd-party package added or removed (Siman , col. 11, lines 1-10). The motivation regarding the obviousness of claim 2 is also applied to claim 8.
Claims 11, is rejected for similar reasons as stated above, and claim 2.
Claims 13, is rejected for similar reasons as stated above, and claim 4.
Claims 14, is rejected for similar reasons as stated above, and claim 5.
Claims 15, is rejected for similar reasons as stated above, and claim 6.
Claims 16, is rejected for similar reasons as stated above, and claim 7.
Claims 17, is rejected for similar reasons as stated above, and claim 8.
5.1. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art discloses many of the claim features (See PTO-form 892).
5.2. a). US Patent Application No. 20240338184 to Bendert et al., disclosed in some examples are methods, systems, devices, and machine-readable mediums for a dependency tracking service which automatically identifies and tracks information about dependencies of a software component and provides one or more visualizations displaying that information. The system may identify the dependencies through automated metadata analysis of the software component, behavior analysis of the software component, or source code analysis of the software component. The system may track status of the software component by reference to one or more code management systems, vulnerability reporting systems, or the like.
b). US Patent Application No. 20230168993 to Johnson et al., discloses methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for debugging an application are provided. In some aspects, a method includes detecting rendering of a digital component by an application executing on the device. A first signals indicative of visible attributes of content assets of the test digital component and second signals indicative of hierarchical associations between the content assets as rendered are obtained. A validation process the compares the first signals and the second signals to a set of requirements is invoked. A determination is made that one or more requirements are not met by the first signals or the second signals. In response to determining that the one or more requirements are not met a non-compliant overlay is provided within the application indicating that the digital component fails to comply with the one or more requirements.
Conclusion
6. Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARUNUR RASHID whose telephone number is (571)270-7195. The examiner can normally be reached 9 AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached at (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
HARUNUR . RASHID
Primary Examiner
Art Unit 2497
/HARUNUR RASHID/Primary Examiner, Art Unit 2497