Detailed Action
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-12 are pending in the application.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-2, 4-8, 10-12 are rejected under 35 U.S.C. 103 as being unpatentable over Anwar et al. US Patent Publication No. 2022/0083667 (“Anwar”) in view of Dhillon et al. US Patent Publication No. 2021/0264031 (“Dhillon”) and Papaxenopoulos et al. US Patent Publication No. 2018/0336356 (“Papaxenopoulos”).
Regarding claim 1, Anwar teaches a non-transitory computer-readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for shrinking security patches, the operations comprising:
accessing executable code (fig. 1. application 108 with software package 106/110. create the applications 108);
scanning the executable code for an indicator of 3rd-party code associated with a software vulnerability (see fig. 2. known vulnerability. para. [0032] vulnerability effectiveness module 144 can analyze the known security vulnerabilities data feed 126 and composition of the application 108 to determine which security vulnerabilities are effect);
identifying, based on the scanning, the indicator of 3rd-party code (para. [0033] developer software packages 106 are identified);
determining, based on the scanning, that the executable code includes a local fix patching the software vulnerability or that the executable code is not configured to rely on the 3rd-party code (para. [0032] ineffective security vulnerability includes vulnerable code that is not executed by the application 108. para. [0033] developer software packages 106 are identified based on whether vulnerable code is executed… or is not executed).
Anwar discloses ignoring the developer package in which the application is not configured to rely on the package, i.e., determination that the executable code is not configured to rely on the 3rd-party code (para. [0035] transitive packages (i.e., packages not explicitly used by the developer) that are level 3 and deeper can be marked as ignored and/or can be fixed as time permits.).
Anwar does not expressly teach based on the determination that the executable code includes a local fix patching the software vulnerability or that the executable code is not configured to rely on the 3rd-party code, performing at least one of:
generating a security patch file that does not patch the software vulnerability; or
removing, from a security patch file, a patch associated with the software vulnerability, thereby reducing a size of the security patch file.
Dhillon discloses based on a determination that an executable code is not configured to rely on a code, performing at least one of: providing a security patch file that does not patch the software vulnerability (para. [0030] prioritized patching of vulnerable components. para. [0034] false positives can cause resources to be used in an inefficient manner, such as, for example, generating and deploying patches for vulnerabilities that are not exploitable. para. [0057] efficiently prioritize patches and stay protected, increase the speed in which necessary patches are provided, reduce wasted efforts on unnecessary patches, and/or expedite patch decisions based on an upfront analysis on the riskiness of a component). Anwar discloses ineffective security vulnerabilities and prioritizing vulnerability remediation (para. [0034]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have implemented Dhillon’s disclosure of utilizing a security patch file that does not patch the software vulnerability. One of ordinary skill in the art would have been motivated to do so because it would have been beneficial to further prioritize patching of vulnerabilities over vulnerabilities that are not exploitable for increased speed of patching and reduced efforts on unnecessary patches.
While Dhillon discloses providing the security patch file, Dhillon does not expressly teach generating the security patch file. Papaxenopoulos discloses generating a security patch file (para. [0036] security vulnerabilities 206 so that a patch generator 210 can generate a patch 212 to remediate one or more of the security vulnerabilities 20). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Anwar and Dhillon with Papaxenopoulos’ disclosure of generating a security patch file. One of ordinary skill in the art would have been motivated to do so in order to have provided the capability to generate patches to remediate new security vulnerabilities.
Regarding claim 7, Anwar teaches a computer-implemented method for shrinking security patches, comprising:
accessing executable code (fig. 1. application 108 with software package 106/110. create the applications 108);
scanning the executable code for an indicator of 3rd-party code associated with a software vulnerability (see fig. 2. known vulnerability. para. [0032] vulnerability effectiveness module 144 can analyze the known security vulnerabilities data feed 126 and composition of the application 108 to determine which security vulnerabilities are effect);
identifying, based on the scanning, the indicator of 3rd-party code (para. [0033] developer software packages 106 are identified);
determining, based on the scanning, that the executable code includes a local fix patching the software vulnerability or that the executable code is not configured to rely on the 3rd-party code (para. [0032] ineffective security vulnerability includes vulnerable code that is not executed by the application 108. para. [0033] developer software packages 106 are identified based on whether vulnerable code is executed… or is not executed).
Anwar discloses ignoring the developer package in which the application is not configured to rely on the package, i.e., determination that the executable code is not configured to rely on the 3rd-party code (para. [0035] transitive packages (i.e., packages not explicitly used by the developer) that are level 3 and deeper can be marked as ignored and/or can be fixed as time permits.).
However, Anwar does not expressly teach based on the determination that the executable code includes a local fix patching the software vulnerability or that the executable code is not configured to rely on the 3rd-party code, performing at least one of:
generating a security patch file that does not patch the software vulnerability; or
removing, from a security patch file, a patch associated with the software vulnerability, thereby reducing a size of the security patch file.
Dhillon discloses based on a determination that an executable code is not configured to rely on a code, performing at least one of: providing a security patch file that does not patch the software vulnerability (para. [0030] prioritized patching of vulnerable components. para. [0034] false positives can cause resources to be used in an inefficient manner, such as, for example, generating and deploying patches for vulnerabilities that are not exploitable. para. [0057] efficiently prioritize patches and stay protected, increase the speed in which necessary patches are provided, reduce wasted efforts on unnecessary patches, and/or expedite patch decisions based on an upfront analysis on the riskiness of a component). Anwar discloses ineffective security vulnerabilities and prioritizing vulnerability remediation (para. [0034]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have implemented Dhillon’s disclosure of utilizing a security patch file that does not patch the software vulnerability. One of ordinary skill in the art would have been motivated to do so because it would have been beneficial to further prioritize patching of vulnerabilities over vulnerabilities that are not exploitable for increased speed of patching and reduced efforts on unnecessary patches.
While Dhillon discloses the security patch file, Dhillon does not expressly teach generating the security patch file. Papaxenopoulos discloses generating a security patch file (para. [0036] security vulnerabilities 206 so that a patch generator 210 can generate a patch 212 to remediate one or more of the security vulnerabilities 20). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Anwar and Dhillon with Papaxenopoulos’ disclosure of generating a security patch file. One of ordinary skill in the art would have been motivated to do so in order to have provided the capability to generate patches to remediate new security vulnerabilities.
Regarding claim 2, Anwar in view of Dhillon and Papaxenopoulos teach the non-transitory computer-readable medium of claim 1. Anwar teaches the medium further comprising including, in a report, an indication of the determination that the executable code includes a local fix patching the software vulnerability or that the executable code is not configured to rely on the 3rd-party code (para. [0018] dependency tree. para. [0033] application dependency tree 200 for the application 108 is shown. packages 106 are identified based on whether vulnerable is executed… or is not executed. para. [0043] generates an application dependency tree).
Regarding claim 4, Anwar in view of Dhillon and Papaxenopoulos teach the non-transitory computer-readable medium of claim 1. Anwar teaches the medium further comprising determining, based on the scanning, that the executable code is not configured to rely on the 3rd-party code by determining that the executable code does not include a call to the 3rd-party code (para. [0032] ineffective security vulnerability includes vulnerable code that is not executed by the application 108.).
Regarding claim 5, Anwar in view of Dhillon and Papaxenopoulos teach the non-transitory computer-readable medium of claim 1. Anwar teaches wherein the executable code is configured to execute on a controller (para. [0048] computer system 400. para. [0050] processing unit 402 may be a standard central processor that performs arithmetic and logical operations, a more specific purpose programmable logic controller).
Regarding claim 6, Anwar in view of Dhillon and Papaxenopoulos teach the non-transitory computer-readable medium of claim 1. Anwar teaches wherein the 3rd-party code is a 3rd-party software package (Anwar: para. [0024] developer software packages 106 can include software code created by the developers 104.).
Regarding claim 8, Anwar in view of Dhillon and Papaxenopoulos teach the computer-implemented method of claim 7. Anwar teaches the method further comprising including, in a report, an indication of the determination that the executable code includes a local fix patching the software vulnerability or that the executable code is not configured to rely on the 3rd-party code (para. [0018] dependency tree. para. [0033] application dependency tree 200 for the application 108 is shown. packages 106 are identified based on whether vulnerable is executed… or is not executed. para. [0043] generates an application dependency tree).
Regarding claim 10, Anwar in view of Dhillon and Papaxenopoulos teach the computer-implemented method of claim 7. Anwar teaches the method further comprising determining, based on the scanning, that the executable code is not configured to rely on the 3rd- party code by determining that the executable code does not include a call to the 3rd- party code (para. [0032] ineffective security vulnerability includes vulnerable code that is not executed by the application 108.).
Regarding claim 11, Anwar in view of Dhillon and Papaxenopoulos teach the computer-implemented method of claim 7. Anwar teaches wherein the executable code is configured to execute on a controller (para. [0048] computer system 400. para. [0050] processing unit 402 may be a standard central processor that performs arithmetic and logical operations, a more specific purpose programmable logic controller).
Regarding claim 12, Anwar in view of Dhillon and Papaxenopoulos teach the computer-implemented method of claim 7. Anwar teaches wherein the 3rd-party code is a 3rd-party software package (para. [0024] developer software packages 106 can include software code created by the developers 104.).
Claims 3 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Anwar in view of Dhillon, Papaxenopoulos, and Karas et al. US Patent Publication No. 2023/0185921 (“Karas”).
Regarding claim 3, Anwar does not teach the non-transitory computer-readable medium of claim 1, wherein the indicator of 3rd-party code includes a version identifier of the 3rd-party code.
Karas discloses indicator of 3rd-party code that includes a version identifier of the 3rd-party code (para. [0027] may be analyzed to extract identifiers of third party software modules. software modules may be developed separately from the analyzed binary and recognized, privately or publicly, as separate entities with their own versions, names, or the like. extracting their version numbers, their identifiers, their names, or the like, which may be subsequently utilized for looking up CVEs). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Anwar with Karas’ disclosure of identifying an indicator of 3rd-party code that includes a version identifier of the 3rd-party code. One of ordinary skill in the art would have been motivated to do so in order to have obtained information to perform a lookup process to identify vulnerabilities.
Regarding claim 9, Anwar does not teach the computer-implemented method of claim 7, wherein the indicator of 3rd-party code includes a version identifier of the 3rd-party code.
Karas discloses indicator of 3rd-party code that includes a version identifier of the 3rd-party code (para. [0027] may be analyzed to extract identifiers of third party software modules. software modules may be developed separately from the analyzed binary and recognized, privately or publicly, as separate entities with their own versions, names, or the like. extracting their version numbers, their identifiers, their names, or the like, which may be subsequently utilized for looking up CVEs). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Anwar with Karas’ disclosure of identifying an indicator of 3rd-party code that includes a version identifier of the 3rd-party code. One of ordinary skill in the art would have been motivated to do so in order to have obtained information to perform a lookup process to identify vulnerabilities.
Examiner’s Note
The following prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Zhang et al. US Patent Publication No. 2024/0126531 (para. [0033] patch/upgrade is generated. software patches are used to implement any desired type of change to an item of software. in the case of patches for database software, the patch may relate to a change for database operation or functionality, e.g., to fix security vulnerabilities. process will generate a patch file that includes the changes to the software program. para. [0037] distribution is created for the patch/upgrade. For example, a patch file is created)
Stopel et al. US Patent Publication No. 2019/0121986 (para. [0044] version identifier of each package is then determined. version identifier is compared to a list of known vulnerabilities associated with specific libraries versions. software libraries may include third party software libraries)
Conclusion
A shortened statutory period for reply to this Office action is set to expire THREE MONTHS from the mailing date of this action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Joshua Joo whose telephone number is 571 272-3966. The examiner can normally be reached on Monday-Friday 7am-3pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar Louie can be reached on 571 270-1684. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JOSHUA JOO/Primary Examiner, Art Unit 2445