DETAILED ACTION
Remarks
This office action is in response to the amendment under AFCP2.0 filed on 2/01/2021.
Claims 1, 3, 4, 7-8, 10-11, 14-15, 17-18 and 20 have been amended.
Claims 1-3, 5-10, 12-17 and 19-20 (numbered as 1-17) are allowed with entering Examiner’s amendment listed below.
Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given after an interview with Mr. David K. Mattheis (Reg#:48,683) on 2/10/2021 to obviate potential 35 U.S.C. 103 and 112 issues, and to put the application in condition for allowance.
The application has been amended as follows: 

IN THE CLAIMS
Please amend claims 1-3, 5-10, 12-17 and 19-20, and cancel claims 4, 11 and 18:
1. (Currently amended) A computer implemented method for managing container applications, the method comprising: 
providing, by a services provider, a registry of managed container base images, each managed container base image of the managed container base images comprising an original ; 
identifying image layers in a layer chain for each original container base image in the managed container based images;
identifying a root layer operating system in the identified image layers for each original container base image in the managed container based images; 
appending an injection point to each original container base image in the managed container based images according to coding of the root layer operating system;
determining, by the services provider, that a first managed container base image from the registry of managed container base images includes a first vulnerability; 
creating, by the services provider, a first patch script to address the first vulnerability; 
inserting, by the services provider, the first patch script at the injection point [[layer]] of the determined first managed container base image to create a patched first managed container based image; [[and]]
determining, by the services provider, that a second managed container base image from the registry of managed container base images includes a second vulnerability; 
creating, by the services provider, a second patch script to address the second vulnerability; 
inserting, by the services provider, the second patch script at the injection point of the second managed container base image, resulting in a patched second managed container base image; 
issuing, by the services provider, a [[pull]] restart command for an application using the determined first managed container base image to a container orchestration tool to pull the patched first managed container based image and rebuild the determined first managed container base image by executing the first patch script; and 
publishing, by the services provider, the patched second managed container base image.

2. (Currently Amended) The computer implemented method according to claim 1, further comprising: 
receiving, by the services provider, a request for a third [[first]] container base image; 
third [[first]] container base image is not managed; and 
creating, by the services provider, a managed version of the third [[first]] container base image.  

3. (Currently Amended) The computer implemented method according to claim 2, wherein the managed version of the third [[first]] container base image comprises the third [[first]] container base image appended to include an injection point .  

4. (Cancelled) 

5. (Currently Amended) The computer implemented method according to claim 1, further comprising: 
determining, by the services provider, a set of managed images related to the first vulnerability; 
patching, by the services provider, each managed image of the set of managed images using the created first patch script for addressing the first vulnerability; and 
publishing, by the services provider, each patched managed image of the set of managed images.  

6. (Currently Amended) The computer implemented method according to claim 1, further comprising [[a]] the service provider enabling a user to reject pulling the first or second patched managed container based image .   

7. (Currently Amended) The computer implemented method according to claim 1, further comprising: 
determining, by the services provider, that [[the]] a fourth container base image is not managed; 
creating, by the services provider, a managed version of the fourth container base image, wherein the managed version of the fourth container base image comprises an injection point ; and 
pulling the managed version of the fourth container based image .

8. (Currently amended) A computer program product for managing application execution, the computer program product comprising one or more computer readable storage devices and stored program instructions on the one or more computer readable storage devices, the stored program instructions executed on one or more computer processors comprising: 
program instructions for providing a registry of managed container base images, each managed container base image of the managed container base images comprising an original container base image ; 
program instructions for identifying image layers in a layer chain for each original container base image in the managed container based images;
program instructions for identifying a root layer operating system in the identified image layers for each original container base image in the managed container based images; 
program instructions for appending an injection point to each original container base image in the managed container based images according to coding of the root layer operating system;
program instructions for determining that a first managed container base image from the registry of managed container base images includes a first vulnerability; 
program instructions for creating a first patch script to address the first vulnerability; 
program instructions for inserting the first patch script at the injection point [[layer]] of the determined first managed container base image to create a patched first managed container based image; [[and]]
program instructions for determining, by the one or more computer processors, that a second managed container base image from the registry of managed container base images includes a second vulnerability; 
program instructions for creating, by the one or more computer processors, a second patch script to address the second vulnerability; 
program instructions for inserting, by the one or more computer processors, the second patch script at the injection point of the second managed container base image, resulting in a patched second managed container base image; 
program instructions for issuing a [[pull]] restart command for an application using the determined first managed container base image, to a container orchestration tool to pull the patched first managed container based image and rebuild the determined first managed container base image by executing the first patch script; and 
program instructions for publishing, by the services provider, the patched second managed container base image.


9. (Currently  amended) The computer program product according to claim 8, the stored program instructions further comprising: 
program instructions for receiving a request for a third [[first]] container base image; 
program instructions for determining that the third [[first]] container base image is not managed; and 
program instructions for creating a managed version of the third [[first]] container base image.  

10. (Currently amended) The computer program product according to claim 9, wherein the managed version of the third [[first]] container base image comprises the third [[first]] container base image appended to include an injection point [[layer]].  

11. (Cancelled)  

12. (Currently amended) The computer program product according to claim 8, the stored program instructions further comprising: 
program instructions for determining a set of managed images related to the first vulnerability; 
program instructions for patching each managed image of the set of  managed images using the created first patch script for addressing the first vulnerability; and 
program instructions for publishing each patched managed image of the set of managed images.  

13. (Currently amended) The computer program product according to claim 8, the stored program instructions further comprising program instructions for enabling a user to reject pulling the first or second patched managed container based image . 


14. (Currently amended) The computer program product according to claim 8, the stored program instructions further comprising: 
program instructions for determining that [[the]] a fourth container base image is not managed; 
program instructions for creating a managed version of the fourth container base image, wherein the managed version of the fourth container base image comprises an injection point [[layer]]; and 
program instructions enabling a user to reject pulling the managed version of the fourth container based image .
.  

15. (Currently amended) A computer system for managing application execution, the computer system comprising: 
one or more computer processors; 
one or more computer readable storage devices; Page 6 of 14Docket No. P201807354US01 Application No. 16/411,250 
stored program instructions on the one or more computer readable storage devices for execution by the one or more computer processor, the stored program instructions comprising: 
program instructions for providing a registry of managed container base images, each managed container base image of the managed container base images comprising an original container base image ; 
program instructions for identifying image layers in a layer chain for each original container base image in the managed container based images;
program instructions for identifying a root layer operating system in the identified image layers for each original container base image in the managed container based images; 
program instructions for appending an injection point to each original container base image in the managed container based images according to coding of the root layer operating system;
program instructions for determining that a first managed container base image from the registry of managed container base images includes a first vulnerability; 
program instructions for creating a first patch script to address the first vulnerability; 
program instructions for inserting the first patch script at the injection point [[layer]] of the determined first managed container base image to create a patched first managed container based image; [[and]]
program instructions for determining, by the one or more computer processors, that a second managed container base image from the registry of managed container base images includes a second vulnerability; 
program instructions for creating, by the one or more computer processors, a second patch script to address the second vulnerability; 
program instructions for inserting, by the one or more computer processors, the second patch script at the injection point of the second managed container base image, resulting in a patched second managed container base image; 
program instructions for issuing a [[pull]] restart command for an application using the determined first managed container base image, to a container orchestration tool to pull the patched first managed container based image and rebuild the determined first managed container base image by executing the first patch script; and 
program instructions for publishing, by the one or more computer processors, the patched second managed container base image.


16. (Currently amended) The computer system according to claim 15, the stored program instructions further comprising: 
program instructions for receiving a request for a third [[first]] container base image; 
program instructions for determining that the third [[first]] container base image is not managed; and 
program instructions for creating a managed version of the third [[first]] container base image.  

17. (Currently amended) The computer system according to claim 16, wherein the managed version of the third [[first]]container base image comprises the third [[first]]container base image appended to include an injection point [[layer]].  

18. (Cancelled) 

19. (Currently amended) The computer system according to claim 15, the stored program instructions further comprising: 
program instructions for determining a set of managed images related to the first vulnerability; 
program instructions for patching each managed image of the set of managed images using the created first patch script for addressing the first vulnerability; and 
program instructions for publishing each patched managed image of the set of managed images.  

20. (Currently amended) The computer system according to claim 15, the stored program instructions further comprising: 
program instructions for receiving a request for a [[first]] fourth container base image; 
program instructions for determining that the [[first]] fourth container base image is not managed; 
program instructions for creating a managed version of the [[first]] fourth container base image, wherein the managed version of the [[first]] fourth container base image comprises an injection point [[layer]]; and 
program instructions for enabling a user to reject pulling the managed version of the fourth container based image . 

Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance:
Based on the search performed for the claimed invention and considering the Applicant’s IDS, the closest prior art(s) as cited does not teach or suggest, either solely, or in combination, about the claimed limitations. 
Abrams (Howard A. Abrams, US2018/0088926A1) discloses the limitation about providing a registry of managed container base images by a services provider, each managed container base image comprising an original container base image appended to include an injection point, determining that a managed container base image from the registry of managed container base images includes a first vulnerability by the services provider, creating a patch script to address the first vulnerability, inserting the patch script at the injection point of the managed container base image.  
However, Abrams does not explicitly disclose that each managed container base image comprises an original container based image appended to include an injection point, the injection point/layer which is based on a root layer operating system coding and/or issues a pull command for an application using the managed container base image to a container orchestration tool by the services provider. 
Georgiev (Georgiev et al., US10,719,603B2) discloses the limitation about each managed container base image comprising an original container based image appended to include an injection point for patching script.
However, Georgiev does not explicitly disclose the injection point/layer which is based on a root layer operating system coding and/or issues a pull command for an application using the managed container base image to a container orchestration tool by the services provider. 
Jeong (Chan-Hun Jeong, US2017/0344289A1) discloses issuing a pull command for an application using the managed container base image to a container orchestration tool by the services provider.
However, the combination of Abrams, Georgiev, and Jeong does not explicitly disclose the injection point/layer which is based on a root layer operating system coding of the layered structure of the container image.
Therefore, in view of the recited method/steps for “providing, by a services provider, a registry of managed container base images, each managed container base image of the managed container base images comprising an original container base image; identifying image layers in a layer chain for each original container base image in the managed container based images; identifying a root layer operating system in the identified image layers for each original container base image in the managed container based images; appending an injection point to each original container base image in the managed container based images according to coding of the root layer operating system; determining, by the services provider, that a first managed container base image from the registry of managed container base images includes a first vulnerability; creating, by the services provider, a first patch script to address the first vulnerability; inserting, by the services provider, the first patch script at the injection point of the determined first managed container base image to create a patched first managed container based image; determining, by the services provider, that a second managed container base image from the registry of managed container base images includes a second vulnerability; creating, by the services provider, a second patch script to address the second vulnerability; inserting, by the services provider, the second patch script at the injection point of the second managed container base image, resulting in a patched second managed container base image; issuing, by the services provider, a restart command for an application using the determined first managed container base image to a container orchestration tool to pull the patched first managed container based image and rebuild the determined first managed container base image by executing the first patch script; and publishing, by the services provider, the patched second managed container base image” in claim 1, and the other limitations recited therewith in their entirety, present subject matter that is novel and non-obvious over the prior art. 
Consequently, claim 1 is allowed. Claims 2-3, and 5-7 are also allowed due to their dependency on allowable independent claim 1.

Moreover, in view of the recited computer program product/computer readable storage devices storing program instructions executed on one or more computer processors, wherein the stored program instructions comprising: “program instructions for providing a registry of managed container base images, each managed container base image of the managed container base images comprising an original container base image; program instructions for identifying image layers in a layer chain for each original container base image in the managed container based images; program instructions for identifying a root layer operating system in the identified image layers for each original container base image in the managed container based images; program instructions for appending an injection point to each original container base image in the managed container based images according to coding of the root layer operating system; program instructions for determining that a first managed container base image from the registry of managed container base images includes a first vulnerability; program instructions for creating a first patch script to address the first vulnerability; program instructions for inserting the first patch script at the injection point of the determined first managed container base image to create a patched first managed container based image; program instructions for determining, by the one or more computer processors, that a second managed container base image from the registry of managed container base images includes a second vulnerability; program instructions for creating, by the one or more computer processors, a second patch script to address the second vulnerability; program instructions for inserting, by the one or more computer processors, the second patch script at the injection point of the second managed container base image, resulting in a patched second managed container base image; program instructions for issuing a restart command for an application using the determined first managed container base image, to a container orchestration tool to pull the patched first managed container based image and rebuild the determined first managed container base image by executing the first patch script; and program instructions for publishing, by the services provider, the patched second managed container base image” in claim 8 and the other limitations recited therewith in their entirety, present subject matter that is novel and non-obvious over the prior art. 
Consequently, claim 8 is allowed. Claims 9-10 and 12-14 are also allowed due to their dependency on allowable independent claim 8.

Further, in view of the recited system comprising one or more processors, and one or more computer readable storage devices stored program instructions executed by the one or more commuter processors to cause the processor, wherein the program instructions comprising: “program instructions for providing a registry of managed container base images, each managed container base image of the managed container base images comprising an original container base image; program instructions for identifying image layers in a layer chain for each original container base image in the managed container based images; program instructions for identifying a root layer operating system in the identified image layers for each original container base image in the managed container based images; program instructions for appending an injection point to each original container base image in the managed container based images according to coding of the root layer operating system; program instructions for determining that a first managed container base image from the registry of managed container base images includes a first vulnerability; program instructions for creating a first patch script to address the first vulnerability; program instructions for inserting the first patch script at the injection point of the determined first managed container base image to create a patched first managed container based image; program instructions for determining, by the one or more computer processors, that a second managed container base image from the registry of managed container base images includes a second vulnerability; program instructions for creating, by the one or more computer processors, a second patch script to address the second vulnerability; program instructions for inserting, by the one or more computer processors, the second patch script at the injection point of the second managed container base image, resulting in a patched second managed container base image; program instructions for issuing a restart command for an application using the determined first managed container base image, to a container orchestration tool to pull the patched first managed container based image and rebuild the determined first managed container base image by executing the first patch script; and program instructions for publishing, by the services provider, the patched second managed container base image” in claim 15, and the other limitations recited therewith in their entirety, present subject matter that is novel and non-obvious over the prior art. 
Consequently, claim 15 is allowed. Claims 16-17 and 19-20 are also allowed due to their dependency on allowable independent claim 15.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Groffin et al., (US10,324,708B2) discloses a method for managing updates to container images;
Jobi et al., (US10,303,499B2) discloses a containerized application based on application image composed of application image layers.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHENG WEI whose telephone number is (571)270-1059 and Fax number is (571) 270-2059.  The examiner can normally be reached on M-F 9:00AM-5:00PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hyung S. Sough can be reached on 571-272-6799.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Any inquiry of a general nature of relating to the status of this application or proceeding should be directed to the TC 2100 Group receptionist whose telephone number is 571- 272-1000.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ZHENG WEI/Examiner, Art Unit 2192    

                                                                                                                                                                                                                                                                                                                                                                                                                   
/ZIAUL A CHOWDHURY/Primary Examiner, Art Unit 2192
                                         02/11/2021