Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1-9, 11-20 are rejected under 35 U.S.C. 103 as being unpatentable over Larkin et. al (US 20240289462 A1) in view of Adams et. al (US 20210200834 A1), in further view of Testsigma (“The Comprehensive Guide to Parallel Testing”).
Regarding claim 1, Larkin teaches a computer-implemented method for performing automated software security scanning (Abstract, "Systems, methods, and computer-readable media for operationalizing standard bill of material (SBOM) content for a software application and providing SBOM analysis … remediate vulnerable components contained in the SBOM by identifying vulnerable components within the SBOM…"; Paragraph 54, "an alert grammar includes a set of rules or parameters that are used to classify telemetry events obtained by a telemetry interception and analysis platform (TIAP) during operation of an application." Paragraph 183, "The TIAP can automatically discover and prioritize application risks across application code, dependencies, container images, and web interfaces to help developers ship secure code faster. The TIAP not only scans static container images, but also observes running applications or Kubernetes environments, providing detailed usage information, including vulnerability usage, severity, CVSS scores, and license type," The TIAP is the system used for automated software vulnerability scanning.) and the method comprising:
… execution of one or more scripts included in a script database… (Paragraph 70, "a TIAP portal may refer to a Software as a Service (SaaS) or on-premise management server that host TIAP, including the dashboard and other TIAP UI screens, as well as any services required to set up installation of TIAP runtime code to monitor a customer's application, collect telemetry from the customer's application, and analyze collected telemetry," The TIAP server is interpreted as the scripts database, where the programs used to set up TIAP for application monitoring are considered the scripts).
launching a plurality of container tasks for … executing one or more scanning operations on codebase branch … (Paragraph 59, "a component is abstract definition of a single type of process known to the platform (e.g., “database” or “web server”). Paragraph 173, "…container or environment where the application is running." An application can operate using one or more components." Paragraph 143, "FIG. 7 shows an illustrative block diagram of TIAP 700 according to an embodiment. In particular, FIG. 7 shows instances of one or more components 710 associated with a customer application being run and sending telemetry events, a user interface 720 for interfacing with the TIAP, and backend portion of the TIAP portal 730." Paragraph 122, " The telemetry grammars runtime can define a telemetry level for each component or component instance." Paragraph 108, "The interception code can include telemetry grammars that define which events should be monitored for and recorded," the telemetry grammars/events assigned to each component instance are interpreted as container tasks.).
and generating one or more scan results based on the one or more scanning operations executed on … codebase branch (Paragraph 157, "FIG. 8 shows an illustrative block diagram of an analytics service 800 according to an embodiment. Analytics service 800 can analyze collected events 802 and provide outputs 804 based on the analysis performed thereon. Analytics service 800 enables customers to understand the behavior and vulnerabilities of their applications by enabling customers to view in real-time statistics of the execution of their applications and to receive recommended remediation steps to resolve those vulnerabilities and to improve behavior," application instances are interpreted as codebase branches, the analytics service capable of viewing statistics of more than one application.
However, Larkin does not specifically teach copying, via execution of one or more scripts included in a script database, a plurality of codebase branches included in a code repository into a clone database, … simultaneously executing scanning operations on codebase branches included in the plurality of codebase branches, nor … results based on the one or more scanning operations executed on the plurality codebase branches. Adams teaches copying, via execution of one or more scripts included in a script database, a plurality of codebase branches included in a code repository into a clone database (Paragraph 6, "The repository security service can be configured to, without limitation: clone a selected branch of the source repository from the repository database to a local directory as a cloned repository; analyze the cloned repository…" Paragraph 91, " the centralized repository security service 108 creates a first clone of the production branch of the first repository pulling the first user's changes at a first path. In addition, the centralized repository security service 108 creates a second clone of the production branch of the first repository pulling the second user's changes at a second path. Finally, the centralized repository security service 108 creates a third clone of the production branch of the second repository pulling the third user's changes at a third path," the program used in the repository security service for copying a repository branch is considered the script in the script database, Fig.1 showing the repository security service running on a host server connected to the code repository service, this being interpreted as the script database, the clone repository is interpreted as the clone database, codebases also contain one or more repositories/repository branches. The different production branches are the plurality of codebase branches included in the code repository).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to enhance Larkin's systems, methods, and computer readable media for remediating security vulnerabilities with Adams' repository cloning step by enhancing Larkin’s TIAP server's code to additionally clone a repository branch before performing analysis and remediation on it, just like Adams' repository security service does. The motivation is that it is good practice in software version control to make modifications to a copy of code, while maintaining the original version such that software instability doesn't ensue, where the original version is fell back upon if remediation attempts to software end up introducing more issues.
However, Larkin in view of Adams does not explicitly teach, … simultaneously executing scanning operations on codebase branches included in the plurality of codebase branches, nor … results based on the one or more scanning operations executed on the plurality codebase branches... Testsigma teaches , … simultaneously executing one or more scanning operations on codebase branches included in the plurality of codebase branches (Page 2, "In parallel testing, tests are run simultaneously in different environments, devices, and browser setups. It primarily aims to save time and resources. It is contrary to serial testing, where tests are run one after the other, which can be time-consuming, especially for large test suites." Page 3, "When there is a new update for an application that is similar to the previous version, parallel tests can be run to verify different versions of the application. This helps ensure that the new update functions properly and remains consistent with the earlier version." Applications and different versions of applications are regarded as codebase branches, so the plurality of codebase branches mentioned here is the different application versions).
… results based on the one or more scanning operations executed on the plurality codebase branches... (Page 5, “When we run the parallel testing cycle, the results of both the new and legacy systems should be measured line by line with differences highlighted. Every difference which we captured should be defined as per the type of error.”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to enhance Larkin in view of Adams’ systems, methods, and computer readable media for remediating security vulnerabilities in view of Larkin in view of Adams' repository cloning step with Testsigma's parallel software testing by setting Larkin in view of Adams’ TIAP server to analyze multiple branches from a plurality of codebase branches that the user designates. The motivation is that analyzing multiple codebase branches at the same time in a codebase speeds up testing significantly over analyzing one branch at a time.
Regarding claim 2, Larkin in view of Adams, and in further view of Testsigma teaches the computer-implemented method of claim 1. Larkin teaches analyzing a plurality of codebase branches (Paragraph 157, “Analytics service 800 enables customers to understand the behavior and vulnerabilities of their applications").
However, Larkin does not explicitly teach copying one or more additional codebase branches included in one or more additional code repositories. Adams teaches copying the plurality of codebase branches further comprises copying one or more additional codebase branches included in one or more additional code repositories into the clone database (Paragraph 91, " the centralized repository security service 108 creates a first clone of the production branch of the first repository pulling the first user's changes at a first path. In addition, the centralized repository security service 108 creates a second clone of the production branch of the first repository pulling the second user's changes at a second path. Finally, the centralized repository security service 108 creates a third clone of the production branch of the second repository pulling the third user's changes at a third path"). The motivation to combine Adams to Larkin for the rejection of claim 2 is the motivation stated for claim 1 above.
Regarding claim 3, Larkin in view of Adams, and in further view of Testsigma teaches the computer-implemented method of claim 1, Larkin teaches the one or more scan results including one or more of indications of software vulnerabilities associated with one of the plurality of codebase branches, third-party software dependency errors associated with one of the plurality of codebase branches (Paragraph 47, "The primary objective of the Vulnerability Exploitability Exchange (VEX) is to provide engineering teams with the information necessary to determine whether a product is impacted by a specific vulnerability discovered in a dependency or operating system package." Paragraph 183, " The TIAP can automatically discover and prioritize application risks across application code, dependencies, container images, and web interfaces to help developers ship secure code faster." Paragraph 187, "The TIAP's report provides a much more comprehensive view of a developer's application, from the static image to the running container." Paragraph 50, "By providing a clear and up-to-date inventory of all the third-party components used in a software project, developers can use this information to identify any known vulnerabilities in the components …" The TIAP system scans the vulnerabilities of the codebase branch being analyzed, one aspect being dependencies, which are third party ones are among). Larkin further teaches scanning for sensitive data (Paragraph 54, "Yet other grammars can include compliance grammars that search telemetry data for specific items such as, for example, credit card numbers, personally identifiable information (PII), addresses, bank accounts, etc." The telemetry data analysis including the stated types of information means there is a scan for sensitive data.).
However, Larkin does not teach analysis for specifically organizational data in codebase branches. Adams teaches scanning secret/sensitive organizational data included in one of the plurality of codebase branches (Paragraph 53, "For example, a static analysis tool may be configured to identify … comments containing sensitive or private information; password or username logging or printing," the data types the static analysis tool checks fall under the sensitive organizational data category). Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to enhance Larkin's systems, methods, and computer readable media for remediating security vulnerabilities in view of Adams' check for organizational sensitive data by adding a check for username and password information in addition to PII, credit card numbers, etc. The motivation is that analyzing multiple codebase branches at the same time in a codebase speeds up testing significantly over analyzing one branch at a time. The motivation is that this will enhance the quality of the security analysis of the code (Adams, paragraph 54"it is appreciated that any suitable static analysis tool may be configured to detect any suitable undesirable condition of a software product, whether that condition relates to information security").
Regarding claim 4, Larkin in view of Adams, and in further view of Testsigma teaches the computer-implemented method of claim 1. Larkin teaches scripts specifying a subset of codebase branches in the code repository (Paragraph 156, "TIAP 700 can maintain several databases in databases 744. An event database can contain all the telemetry received from all loaded applications/components, for all customers. The data in the events database is deposited by the event service and queried by the analytics, CVE, API, and blueprinting services." Paragraph 82, "Application module 120 may include a native library 125 (e.g., Libc.so) that is used during operation of the application. Native library 125 may include one or more components 126." The scripts specifying the subset of codebase branches in the codebase repository are the code modules loaded along the applications that are to be analyzed, thus specifying the subset of applications/codebase branches that are running).
Regarding claim 5, Larkin in view of Adams, and in further view of Testsigma teaches the computer-implemented method of claim 4. However, Larkin does not teach priority levels in codebase branches. Adams teaches the specifying of the subset of codebase branches is based on one or more priority levels associated with the plurality of codebase branches (Paragraph 120, "As with the operation 502, the operation 504 may further include an authorization step, or operation, in which the centralized repository security service performs an authorization step prior to cloning or attempting to clone the repository identified by the event received…" Paragraph 118, "the operation 502 further includes an authorization and/or authentication step in which the centralized repository security service identifies itself to a repository server as an authorized account to receive repository events and/or as authorized to clone or otherwise copy one or more specific repositories." The repository security service has a different process for cloning depending on the repository it is attempting to clone for analysis, with it being that certain repositories have different authorization levels, thus meaning that the repository security service uses security levels as priority levels, identifying the codebases it is to clone).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to enhance Larkin's systems, methods, and computer readable media for remediating security vulnerabilities in view of Adams' authorization levels for analyzing repositories by adding security levels to certain repositories, the permissions to access certain security levels checked before analysis. Allowing only authorized accounts to analyze certain repositories enhances the security of a codebase, as it prevents unpermitted use of organization resources.
Regarding claim 6, Larkin in view of Adams, and in further view of Testsigma teaches the computer-implemented method of claim 1. Larkin teaches identifying, based on the one or more scripts, one or more top-level codebase branches and one or more nested codebase branches associated with the one or more top-level codebase branches (Paragraph 184, "FIG. 11 shows an illustrative GUI page 1100 showing SBOM data and runtime security generated by the TIAP according to an embodiment. GUI page 1100 can include side bar 1102 that includes several user selectable items, top bar 1110 that shows an application being evaluated and associated metrics 1112. Metric 1112 can include metrics for environment 1112a (e.g., shown here for all environments), namespaces 1112b (e.g., shown here for all namespaces), and version 1112c (e.g., shown here for latest version)," The versions of the application are treated as the top level and nested codebase branches, as earlier versions can be seen as top-level codebase branches, and more recent versions of the application can be seen as nested codebase branches).
Regarding claim 7, Larkin in view of Adams, and in further view of Testsigma teaches the computer-implemented method of claim 1.
However, Larkin does not teach cloning being based on permissions in a secrets database. Adams teaches the copying the plurality of codebase branches based on one or more of authentication, identification, or permission information included in a secrets database (Paragraph 120, "As with the operation 502, the operation 504 may further include an authorization step, or operation, in which the centralized repository security service performs an authorization step prior to cloning or attempting to clone the repository identified by the event received…" Paragraph 118, "the operation 502 further includes an authorization and/or authentication step in which the centralized repository security service identifies itself to a repository server as an authorized account to receive repository events and/or as authorized to clone or otherwise copy one or more specific repositories," the repository server can be seen as the secrets database that gives permissions to users, since its authorization requirements must be met for cloning to be permitted).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to enhance Larkin's systems, methods, and computer readable media for remediating security vulnerabilities in view of Adams' authorization levels for analyzing repositories by adding security levels to certain repositories, the permissions to access certain security levels checked before analysis. Allowing only authorized accounts to analyze certain repositories enhances the security of a codebase, as it prevents unpermitted use of organization resources.
Regarding claim 8, Larkin in view of Adams, and in further view of Testsigma teaches the computer-implemented method of claim 1. Larkin teaches displaying the one or more scan results via an interactive dashboard, wherein the one or more scan results include statistical data associated with the plurality of codebase branches (Paragraph 157, "FIG. 8 shows an illustrative block diagram of an analytics service 800 according to an embodiment. Analytics service 800 can analyze collected events 802 and provide outputs 804 based on the analysis performed thereon. Analytics service 800 enables customers to understand the behavior and vulnerabilities of their applications by enabling customers to view in real-time statistics of the execution of their applications and to receive recommended remediation steps to resolve those vulnerabilities and to improve behavior," application instances are interpreted as codebase branches, the analytics service capable of viewing statistics of more than one application and displaying them to the user).
Regarding claim 9, Larkin in view of Adams, and in further view of Testsigma teaches the computer-implemented method of claim 1. Larkin does not explicitly teach assigning one of the plurality of codebase branches to one of the plurality of container tasks based on a queue of codebase branches. Adams teaches assigning one of the plurality of codebase branches to one of the plurality of container tasks based on a queue of codebase branches (Paragraph 2, "Embodiments described herein relate to collaborative software development environments and, in particular, to systems and methods for asynchronously performing static analysis on a clone of a given code repository in response to one or more repository event triggers." Paragraph 50, "The images or virtual machines may be discrete files or disk image files that, when accessed by a processor of the centralized repository security service, instantiate a container or virtual machine configured to perform one or more static analysis operations or tasks." Paragraph 84, "paragraph 84 respond to repository events by cloning an associated repository and pull changes that triggered each repository event; enqueue repository events received." The repository events being queued means there is a queuing up of security analysis jobs on the service for the repository/codebase branches, and since the machine uses containers to run the application, these analysis jobs are assigned to container tasks.).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to enhance Larkin's systems, methods, and computer readable media for remediating security vulnerabilities in view of Adams' queuing system of repository events/security analysis jobs. The motivation would be to prevent an overconsumption of server resources when a codebase branch is to be analyzed for security purposes, instead allocating server resources as needed.
Regarding claim 11, Larkin teaches one or more non-transitory computer-readable media storing instructions that, when executed by one or more processors, cause the one or more processors to perform the steps of:
… execution of one or more scripts included in a script database… (Paragraph 70, "a TIAP portal may refer to a Software as a Service (SaaS) or on-premise management server that host TIAP, including the dashboard and other TIAP UI screens, as well as any services required to set up installation of TIAP runtime code to monitor a customer's application, collect telemetry from the customer's application, and analyze collected telemetry," The TIAP server is interpreted as the scripts database, where the programs used to set up TIAP for application monitoring are considered the scripts).
launching a plurality of container tasks for … executing one or more scanning operations on codebase branch … (Paragraph 59, "a component is abstract definition of a single type of process known to the platform (e.g., “database” or “web server”). Paragraph 173, "…container or environment where the application is running." An application can operate using one or more components." Paragraph 143, "FIG. 7 shows an illustrative block diagram of TIAP 700 according to an embodiment. In particular, FIG. 7 shows instances of one or more components 710 associated with a customer application being run and sending telemetry events, a user interface 720 for interfacing with the TIAP, and backend portion of the TIAP portal 730." Paragraph 122, " The telemetry grammars runtime can define a telemetry level for each component or component instance." Paragraph 108, "The interception code can include telemetry grammars that define which events should be monitored for and recorded," the telemetry grammars/events assigned to each component instance are interpreted as container tasks.).
and generating one or more scan results based on the one or more scanning operations executed on … codebase branch (Paragraph 157, "FIG. 8 shows an illustrative block diagram of an analytics service 800 according to an embodiment. Analytics service 800 can analyze collected events 802 and provide outputs 804 based on the analysis performed thereon. Analytics service 800 enables customers to understand the behavior and vulnerabilities of their applications by enabling customers to view in real-time statistics of the execution of their applications and to receive recommended remediation steps to resolve those vulnerabilities and to improve behavior," application instances are interpreted as codebase branches, the analytics service capable of viewing statistics of more than one application.
However, Larkin does not specifically teach copying, via execution of one or more scripts included in a script database, a plurality of codebase branches included in a code repository into a clone database, … simultaneously executing scanning operations on codebase branches included in the plurality of codebase branches, nor … results based on the one or more scanning operations executed on the plurality codebase branches. Adams teaches copying, via execution of one or more scripts included in a script database, a plurality of codebase branches included in a code repository into a clone database (Paragraph 6, "The repository security service can be configured to, without limitation: clone a selected branch of the source repository from the repository database to a local directory as a cloned repository; analyze the cloned repository…" Paragraph 91, " the centralized repository security service 108 creates a first clone of the production branch of the first repository pulling the first user's changes at a first path. In addition, the centralized repository security service 108 creates a second clone of the production branch of the first repository pulling the second user's changes at a second path. Finally, the centralized repository security service 108 creates a third clone of the production branch of the second repository pulling the third user's changes at a third path," the program used in the repository security service for copying a repository branch is considered the script in the script database, Fig.1 showing the repository security service running on a host server connected to the code repository service, this being interpreted as the script database, the clone repository is interpreted as the clone database, codebases also contain one or more repositories/repository branches. The different production branches are the plurality of codebase branches included in the code repository).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to enhance Larkin's systems, methods, and computer readable media for remediating security vulnerabilities with Adams' repository cloning step by enhancing Larkin’s TIAP server's code to additionally clone a repository branch before performing analysis and remediation on it, just like Adams' repository security service does. The motivation is that it is good practice in software version control to make modifications to a copy of code, while maintaining the original version such that software instability doesn't ensue, where the original version is fell back upon if remediation attempts to software end up introducing more issues.
However, Larkin in view of Adams does not explicitly teach, … simultaneously executing scanning operations on codebase branches included in the plurality of codebase branches, nor … results based on the one or more scanning operations executed on the plurality codebase branches... Testsigma teaches , … simultaneously executing one or more scanning operations on codebase branches included in the plurality of codebase branches (Page 2, "In parallel testing, tests are run simultaneously in different environments, devices, and browser setups. It primarily aims to save time and resources. It is contrary to serial testing, where tests are run one after the other, which can be time-consuming, especially for large test suites." Page 3, "When there is a new update for an application that is similar to the previous version, parallel tests can be run to verify different versions of the application. This helps ensure that the new update functions properly and remains consistent with the earlier version." Applications and different versions of applications are regarded as codebase branches, so the plurality of codebase branches mentioned here is the different application versions).
… results based on the one or more scanning operations executed on the plurality codebase branches... (Page 5, “When we run the parallel testing cycle, the results of both the new and legacy systems should be measured line by line with differences highlighted. Every difference which we captured should be defined as per the type of error.”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to enhance Larkin in view of Adams’ systems, methods, and computer readable media for remediating security vulnerabilities in view of Larkin in view of Adams' repository cloning step with Testsigma's parallel software testing by setting Larkin in view of Adams’ TIAP server to analyze multiple branches from a plurality of codebase branches that the user designates. The motivation is that analyzing multiple codebase branches at the same time in a codebase speeds up testing significantly over analyzing one branch at a time.
Regarding claim 12, Larkin in view of Adams, and in further view of Testsigma teaches the one or more non-transitory computer-readable media of claim 11. Larkin teaches analyzing a plurality of codebase branches (Paragraph 157, “Analytics service 800 enables customers to understand the behavior and vulnerabilities of their applications")
However, Larkin does not explicitly teach copying one or more additional codebase branches included in one or more additional code repositories. Adams teaches copying the plurality of codebase branches further comprises copying one or more additional codebase branches included in one or more additional code repositories into the clone database (Paragraph 91, " the centralized repository security service 108 creates a first clone of the production branch of the first repository pulling the first user's changes at a first path. In addition, the centralized repository security service 108 creates a second clone of the production branch of the first repository pulling the second user's changes at a second path. Finally, the centralized repository security service 108 creates a third clone of the production branch of the second repository pulling the third user's changes at a third path"). The motivation to combine Adams to Larkin for the rejection of claim 12 is the motivation stated for claim 11 above.
Regarding claim 13, Larkin in view of Adams, and in further view of Testsigma teaches the one or more non-transitory computer-readable media of claim 11. Larkin teaches the one or more scan results including one or more of indications of software vulnerabilities associated with one of the plurality of codebase branches, third-party software dependency errors associated with one of the plurality of codebase branches (Paragraph 47, "The primary objective of the Vulnerability Exploitability Exchange (VEX) is to provide engineering teams with the information necessary to determine whether a product is impacted by a specific vulnerability discovered in a dependency or operating system package." Paragraph 183, " The TIAP can automatically discover and prioritize application risks across application code, dependencies, container images, and web interfaces to help developers ship secure code faster." Paragraph 187, "The TIAP's report provides a much more comprehensive view of a developer's application, from the static image to the running container." Paragraph 50, "By providing a clear and up-to-date inventory of all the third-party components used in a software project, developers can use this information to identify any known vulnerabilities in the components …" The TIAP system scans the vulnerabilities of the codebase branch being analyzed, one aspect being dependencies, which are third party ones are among). Larkin further teaches scanning for sensitive data (Paragraph 54, "Yet other grammars can include compliance grammars that search telemetry data for specific items such as, for example, credit card numbers, personally identifiable information (PII), addresses, bank accounts, etc." The telemetry data analysis including the stated types of information means there is a scan for sensitive data.).
However, Larkin does not teach analysis for specifically organizational data in codebase branches. Adams teaches scanning secret/sensitive organizational data included in one of the plurality of codebase branches (Paragraph 53, "For example, a static analysis tool may be configured to identify … comments containing sensitive or private information; password or username logging or printing," the data types the static analysis tool checks fall under the sensitive organizational data category).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to enhance Larkin's systems, methods, and computer readable media for remediating security vulnerabilities in view of Adams' check for organizational sensitive data by adding a check for username and password information in addition to PII, credit card numbers, etc. The motivation is that analyzing multiple codebase branches at the same time in a codebase speeds up testing significantly over analyzing one branch at a time. The motivation is that this will enhance the quality of the security analysis of the code (Adams, paragraph 54"it is appreciated that any suitable static analysis tool may be configured to detect any suitable undesirable condition of a software product, whether that condition relates to information security").
Regarding claim 14, Larkin in view of Adams, and in further view of Testsigma teaches the one or more non-transitory computer-readable media of claim 11, Larkin teaches scripts specifying a subset of codebase branches in the code repository (Paragraph 156, "TIAP 700 can maintain several databases in databases 744. An event database can contain all the telemetry received from all loaded applications/components, for all customers. The data in the events database is deposited by the event service and queried by the analytics, CVE, API, and blueprinting services." Paragraph 82, "Application module 120 may include a native library 125 (e.g., Libc.so) that is used during operation of the application. Native library 125 may include one or more components 126." The scripts specifying the subset of codebase branches in the codebase repository are the code modules loaded along the applications that are to be analyzed, thus specifying the subset of applications/codebase branches that are running).
Regarding claim 15 Larkin in view of Adams, and in further view of Testsigma teaches the one or more non-transitory computer-readable media of claim 14. However, Larkin does not teach priority levels in codebase branches. Adams teaches the specifying of the subset of codebase branches is based on one or more priority levels associated with the plurality of codebase branches (Paragraph 120, "As with the operation 502, the operation 504 may further include an authorization step, or operation, in which the centralized repository security service performs an authorization step prior to cloning or attempting to clone the repository identified by the event received…" Paragraph 118, "the operation 502 further includes an authorization and/or authentication step in which the centralized repository security service identifies itself to a repository server as an authorized account to receive repository events and/or as authorized to clone or otherwise copy one or more specific repositories." The repository security service has a different process for cloning depending on the repository it is attempting to clone for analysis, with it being that certain repositories have different authorization levels, thus meaning that the repository security service uses security levels as priority levels, identifying the codebases it is to clone).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to enhance Larkin's systems, methods, and computer readable media for remediating security vulnerabilities in view of Adams' authorization levels for analyzing repositories by adding security levels to certain repositories, the permissions to access certain security levels checked before analysis. Allowing only authorized accounts to analyze certain repositories enhances the security of a codebase, as it prevents unpermitted use of organization resources.
Regarding claim 16, Larkin in view of Adams, and in further view of Testsigma teaches the one or more non-transitory computer-readable media of claim 11. Larkin teaches identifying, based on the one or more scripts, one or more top-level codebase branches and one or more nested codebase branches associated with the one or more top-level codebase branches (Paragraph 184, "FIG. 11 shows an illustrative GUI page 1100 showing SBOM data and runtime security generated by the TIAP according to an embodiment. GUI page 1100 can include side bar 1102 that includes several user selectable items, top bar 1110 that shows an application being evaluated and associated metrics 1112. Metric 1112 can include metrics for environment 1112a (e.g., shown here for all environments), namespaces 1112b (e.g., shown here for all namespaces), and version 1112c (e.g., shown here for latest version)," The versions of the application are treated as the top level and nested codebase branches, as earlier versions can be seen as top-level codebase branches, and more recent versions of the application can be seen as nested codebase branches).
Regarding claim 17, Larkin in view of Adams, and in further view of Testsigma teaches the one or more non-transitory computer-readable media of claim 11. However, Larkin does not teach cloning being based on permissions in a secrets database. Adams teaches the copying the plurality of codebase branches based on one or more of authentication, identification, or permission information included in a secrets database (Paragraph 120, "As with the operation 502, the operation 504 may further include an authorization step, or operation, in which the centralized repository security service performs an authorization step prior to cloning or attempting to clone the repository identified by the event received…" Paragraph 118, "the operation 502 further includes an authorization and/or authentication step in which the centralized repository security service identifies itself to a repository server as an authorized account to receive repository events and/or as authorized to clone or otherwise copy one or more specific repositories," the repository server can be seen as the secrets database that gives permissions to users, since its authorization requirements must be met for cloning to be permitted).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to enhance Larkin's systems, methods, and computer readable media for remediating security vulnerabilities in view of Adams' authorization levels for analyzing repositories by adding security levels to certain repositories, the permissions to access certain security levels checked before analysis. Allowing only authorized accounts to analyze certain repositories enhances the security of a codebase, as it prevents unpermitted use of organization resources.
Regarding claim 18, Larkin teaches A system comprising: one or more memories for storing instructions; and one or more processors for executing the instructions to (Abstract, "Systems, methods, and computer-readable media for operationalizing standard bill of material (SBOM) content for a software application and providing SBOM analysis … remediate vulnerable components contained in the SBOM by identifying vulnerable components within the SBOM…"; Paragraph 54, "an alert grammar includes a set of rules or parameters that are used to classify telemetry events obtained by a telemetry interception and analysis platform (TIAP) during operation of an application." Paragraph 183, "The TIAP can automatically discover and prioritize application risks across application code, dependencies, container images, and web interfaces to help developers ship secure code faster. The TIAP not only scans static container images, but also observes running applications or Kubernetes environments, providing detailed usage information, including vulnerability usage, severity, CVSS scores, and license type," The TIAP is the system used for automated software vulnerability scanning.)
… execution of one or more scripts included in a script database… (Paragraph 70, "a TIAP portal may refer to a Software as a Service (SaaS) or on-premise management server that host TIAP, including the dashboard and other TIAP UI screens, as well as any services required to set up installation of TIAP runtime code to monitor a customer's application, collect telemetry from the customer's application, and analyze collected telemetry," The TIAP server is interpreted as the scripts database, where the programs used to set up TIAP for application monitoring are considered the scripts).
launching a plurality of container tasks for … executing one or more scanning operations on codebase branch … (Paragraph 59, "a component is abstract definition of a single type of process known to the platform (e.g., “database” or “web server”). Paragraph 173, "…container or environment where the application is running." An application can operate using one or more components." Paragraph 143, "FIG. 7 shows an illustrative block diagram of TIAP 700 according to an embodiment. In particular, FIG. 7 shows instances of one or more components 710 associated with a customer application being run and sending telemetry events, a user interface 720 for interfacing with the TIAP, and backend portion of the TIAP portal 730." Paragraph 122, " The telemetry grammars runtime can define a telemetry level for each component or component instance." Paragraph 108, "The interception code can include telemetry grammars that define which events should be monitored for and recorded," the telemetry grammars/events assigned to each component instance are interpreted as container tasks.).
and generating one or more scan results based on the one or more scanning operations executed on … codebase branch (Paragraph 157, "FIG. 8 shows an illustrative block diagram of an analytics service 800 according to an embodiment. Analytics service 800 can analyze collected events 802 and provide outputs 804 based on the analysis performed thereon. Analytics service 800 enables customers to understand the behavior and vulnerabilities of their applications by enabling customers to view in real-time statistics of the execution of their applications and to receive recommended remediation steps to resolve those vulnerabilities and to improve behavior," application instances are interpreted as codebase branches, the analytics service capable of viewing statistics of more than one application.
However, Larkin does not specifically teach copying, via execution of one or more scripts included in a script database, a plurality of codebase branches included in a code repository into a clone database, … simultaneously executing scanning operations on codebase branches included in the plurality of codebase branches, nor … results based on the one or more scanning operations executed on the plurality codebase branches. Adams teaches copying, via execution of one or more scripts included in a script database, a plurality of codebase branches included in a code repository into a clone database (Paragraph 6, "The repository security service can be configured to, without limitation: clone a selected branch of the source repository from the repository database to a local directory as a cloned repository; analyze the cloned repository…" Paragraph 91, " the centralized repository security service 108 creates a first clone of the production branch of the first repository pulling the first user's changes at a first path. In addition, the centralized repository security service 108 creates a second clone of the production branch of the first repository pulling the second user's changes at a second path. Finally, the centralized repository security service 108 creates a third clone of the production branch of the second repository pulling the third user's changes at a third path," the program used in the repository security service for copying a repository branch is considered the script in the script database, Fig.1 showing the repository security service running on a host server connected to the code repository service, this being interpreted as the script database, the clone repository is interpreted as the clone database, codebases also contain one or more repositories/repository branches. The different production branches are the plurality of codebase branches included in the code repository).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to enhance Larkin's systems, methods, and computer readable media for remediating security vulnerabilities with Adams' repository cloning step by enhancing Larkin’s TIAP server's code to additionally clone a repository branch before performing analysis and remediation on it, just like Adams' repository security service does. The motivation is that it is good practice in software version control to make modifications to a copy of code, while maintaining the original version such that software instability doesn't ensue, where the original version is fell back upon if remediation attempts to software end up introducing more issues.
However, Larkin in view of Adams does not explicitly teach, … simultaneously executing scanning operations on codebase branches included in the plurality of codebase branches, nor … results based on the one or more scanning operations executed on the plurality codebase branches... Testsigma teaches , … simultaneously executing one or more scanning operations on codebase branches included in the plurality of codebase branches (Page 2, "In parallel testing, tests are run simultaneously in different environments, devices, and browser setups. It primarily aims to save time and resources. It is contrary to serial testing, where tests are run one after the other, which can be time-consuming, especially for large test suites." Page 3, "When there is a new update for an application that is similar to the previous version, parallel tests can be run to verify different versions of the application. This helps ensure that the new update functions properly and remains consistent with the earlier version." Applications and different versions of applications are regarded as codebase branches, so the plurality of codebase branches mentioned here is the different application versions).
… results based on the one or more scanning operations executed on the plurality codebase branches... (Page 5, “When we run the parallel testing cycle, the results of both the new and legacy systems should be measured line by line with differences highlighted. Every difference which we captured should be defined as per the type of error.”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to enhance Larkin in view of Adams’ systems, methods, and computer readable media for remediating security vulnerabilities in view of Larkin in view of Adams' repository cloning step with Testsigma's parallel software testing by setting Larkin in view of Adams’ TIAP server to analyze multiple branches from a plurality of codebase branches that the user designates. The motivation is that analyzing multiple codebase branches at the same time in a codebase speeds up testing significantly over analyzing one branch at a time.
Regarding claim 19 Larkin in view of Adams, and in further view of Testsigma teaches the system of claim 18, Larkin teaches analyzing a plurality of codebase branches (Paragraph 157, “Analytics service 800 enables customers to understand the behavior and vulnerabilities of their applications").
However, Larkin does not explicitly teach copying one or more additional codebase branches included in one or more additional code repositories. Adams teaches copying the plurality of codebase branches further comprises copying one or more additional codebase branches included in one or more additional code repositories into the clone database (Paragraph 91, " the centralized repository security service 108 creates a first clone of the production branch of the first repository pulling the first user's changes at a first path. In addition, the centralized repository security service 108 creates a second clone of the production branch of the first repository pulling the second user's changes at a second path. Finally, the centralized repository security service 108 creates a third clone of the production branch of the second repository pulling the third user's changes at a third path"). The motivation to combine Adams to Larkin for the rejection of claim 19 is the motivation stated for claim 18 above.
Regarding claim 20 Larkin in view of Adams, and in further view of Testsigma teaches The system of claim 18, Larkin teaches the one or more scan results including one or more of indications of software vulnerabilities associated with one of the plurality of codebase branches, third-party software dependency errors associated with one of the plurality of codebase branches (Paragraph 47, "The primary objective of the Vulnerability Exploitability Exchange (VEX) is to provide engineering teams with the information necessary to determine whether a product is impacted by a specific vulnerability discovered in a dependency or operating system package." Paragraph 183, " The TIAP can automatically discover and prioritize application risks across application code, dependencies, container images, and web interfaces to help developers ship secure code faster." Paragraph 187, "The TIAP's report provides a much more comprehensive view of a developer's application, from the static image to the running container." Paragraph 50, "By providing a clear and up-to-date inventory of all the third-party components used in a software project, developers can use this information to identify any known vulnerabilities in the components …" The TIAP system scans the vulnerabilities of the codebase branch being analyzed, one aspect being dependencies, which are third party ones are among).
Larkin further teaches scanning for sensitive data (Paragraph 54, "Yet other grammars can include compliance grammars that search telemetry data for specific items such as, for example, credit card numbers, personally identifiable information (PII), addresses, bank accounts, etc." The telemetry data analysis including the stated types of information means there is a scan for sensitive data.).
However, Larkin does not teach analysis for specifically organizational data in codebase branches. Adams teaches scanning secret/sensitive organizational data included in one of the plurality of codebase branches (Paragraph 53, "For example, a static analysis tool may be configured to identify … comments containing sensitive or private information; password or username logging or printing," the data types the static analysis tool checks fall under the sensitive organizational data category).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to enhance Larkin's systems, methods, and computer readable media for remediating security vulnerabilities in view of Adams' check for organizational sensitive data by adding a check for username and password information in addition to PII, credit card numbers, etc. The motivation is that analyzing multiple codebase branches at the same time in a codebase speeds up testing significantly over analyzing one branch at a time. The motivation is that this will enhance the quality of the security analysis of the code (Adams, paragraph 54"it is appreciated that any suitable static analysis tool may be configured to detect any suitable undesirable condition of a software product, whether that condition relates to information security").
Claim(s) 10 is rejected under 35 U.S.C. 103 as being unpatentable over Larkin et. al (US 20240289462 A1) in view of Adams et. al (US 20210200834 A1), in further view of Testsigma, and in further view of Hornbeck (US 11216265 B1).
Regarding claim 10, Larkin in view of Adams, and in further view of Testsigma teaches the computer-implemented method of claim 1. However, Larkin in view of Adams and further view of Testsigma does not explicitly teach removing one or more of the plurality of copied codebase branches from the clone database after execution of the one or more scanning operations. Hornbeck teaches removing one or more of the plurality of copied codebase branches from the clone database after execution of the one or more scanning operations (Col 29 lines 24-40, " In some examples, IaaS Multi-Function Compute Device 250 implements an operating system CICD pipeline. The pipeline may receive a base image for a given operating system (e.g., directly from the OS Vendor or repository, etc.) and launch a temporary, ephemeral server either locally or on the IaaS/Cloud target service." Col 29 lines 31-39, "An ephemeral build may correspond with a short-lived, temporary, dynamic, or on-demand build of a virtual system or image. In an ephemeral build process, a fresh environment may be created for each build, and then destroyed when the build steps are finished. For example, applications requiring large amounts of RAM, storage, or specific network connectivity may be identified for this process." Col 5 lines 45-54, "The IaaS multi-function compute device may implement testing, including platform infrastructure as code continuous integration testing. This may help generate audit scores for Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and/or Interactive Application Security Testing (IAST)." the ephemeral build of the application where the applications are set up for analysis temporarily is equivalent to removing codebase branches after scanning operations).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to enhance Larkin in view of Adams in further view of Testsigma’s systems, methods, and computer readable media for remediating security vulnerabilities with the improvement of Hornbeck's ephemeral server system for applications such that Larkin in view of Adams in further view of Testsigma’s server system cleans its storage of the application analyzed. The motivation is that an ephemeral server system would prevent the server from getting cluttered with unnecessary amounts of code.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUHAMMAD H RASUL whose telephone number is (571)272-4613. The examiner can normally be reached Monday - Friday 7:30 - 5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached at 571-272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H.R./Examiner, Art Unit 2492 /RUPAL DHARIA/Supervisory Patent Examiner, Art Unit 2492