Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

				DETAILED ACTION
Continued Examination Under 37 CFR 1.114
1.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 3/15/2021 has been entered.
 
2.	This office action is based on the applications’ amendments filed on 3/15/2021, which claims 21-40 have been presented for examination.

Status of Claims
2.    Applicant’s amendment dated March 15th, 2021 responding to the Office Action January 29th, 2021 provided in the rejection of claims 21-40.
3.    Claims 21, 30 and 35 have been amended.
4.    Claims 21-40 are pending in the application, of which claims 21, 30 and 35 are in independent form and which have been fully considered by the examiner.

Response to Amendments/Arguments
5.    (A)   Regarding non-statutory double patenting rejection:  Applicant notes that although Applicant does not agree that the present claims 21-40 are obvious over claims 1, 7, and 14 of the parent application, Applicant is willing to file a terminal disclaimer to overcome the present obviousness-type double patenting rejection when pending claims 21, 30, and 35 are otherwise indicated to be allowable – Remarks, page 9.  Based on Applicants’ Amendments/Arguments, double patenting rejection has not presented in this office action.
(B)  Regarding art rejection: Applicants’ amendment necessitated new grounds of rejections presented in the following art rejection. Please refer Bankole et al. (US Pub No. 2016/0162286 A1).

Examiner Notes
6.	Examiner cites particular columns and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.

Claim Objections
7.	Claims 21, 30 objected to because of the following informalities:  
Claims 21, 30 and 35 recite the limitation/element “a version”.  There is insufficient antecedent basis for this limitation in the claim.
.  Appropriate correction is required.

 Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

8.	Claims 21, 26-30, 33-35 and 39-40 is/are rejected under 35 U.S.C. 103 as being unpatentable over Allen (US Patent No. 9,641,406 B1 –IDS filed on 1/13/2020 -- herein after Allen) in view of Bankole et al. (US Pub No. 2016/0162286 A1 – herein after Bankole).

Regarding claim 21. 
Allen discloses
A system (computing systems – See col. 1, line 12), comprising: 
one or more hardware processors (See col. 16, one or more processors – line 9); and 
a non-transitory memory (The computer-readable storage medium may be non-transitory – See Col. 16, lines 9-10), the non-transitory memory storing computer-readable instruction that, when executed by the one or more hardware processors, causes the one or more hardware processors to perform operations comprising: 
receiving data associated with an updated baseline instance (The monitoring service may apply updates to virtual machine images stored by the service provider which have not yet been updated.  The monitoring service may do this by, first, receiving update information from the update repository – See Col. 2, lines 41-50; metadata associated with the instance may be stored corresponding to update information – See Col. 2, lines 36-40.  Examiner notes the update service used to update virtual machine images is an updated baseline instance), wherein the updated baseline instance is a version of a baseline instance that has had a software update installed (The metadata may include version information, information corresponding to the update applied, information corresponding to previous versions of the virtual machine or any other suitable information – See Col. 9, lines 7-10) and complies with a security policy (Updates may include software updates, networking updates, security policies, licensing policies, software upgrades, firmware updates, new software, administrative updates, hot fixes, patches or any other information suitable for updating computer systems– See Col. 2, lines 20-24); 
receiving data associated with a customized instance (The virtual machine instance may be used by a customer, as described above in connection with FIG. 2, to perform a variety of functions – See Col. 6, lines 29-48; an update is received the monitoring service 302 may determine one or more representative virtual machine 
comparing the data associated with the updated baseline instance with the data associated with the customized instance (The monitoring service may use the indirection map to apply the information contained in the offline patch to the appropriate element of the virtual machine image being updated- See Col. 2, lines 66-67 and Col. 3, lines 1 -3) to determine one or more modifications to the customized instance to bring the customized instance into compliance with the security policy (the computing systems, services and virtual machine instances may require periodic updates in order to comply with various policies, such as security policies - See Col. 1, lines 5-26; the offline patch may contain information corresponding to changes made to "DB1" on the representative system. The monitoring service may invert the indirection map by converting the logical abstraction "the first NoSQL database attached" to the label for the physical resource of the particular virtual machine being updated- See Col. 3, lines 3-36).
Allen does not discloses
wherein the customized instance is a version of the baseline instance having one or more user-customized features that are user-implemented as added, removed, or modified script, wherein data associated with the customized instance comprises an indication of a user customization to script of the updated baseline instance based on the one or more user-customized feature;
determining that the customized instance does not comply with the security policy based on the data associated with the customized instance;

Bankole discloses
wherein the customized instance is a version of the baseline instance (an instance of previous version of software product – See paragraphs [0003, 0027 and 0031]) having one or more user-customized features that are user-implemented as added, removed, or modified script (when software developers work on upgrades to released software products, the software developers may add new functional capabilities, adjust existing functions, and remove functions.  In one example, new functionality or improvements to existing functions may provide users of a software product with reasons to upgrade their own instance of the software product when upgrades are available – See paragraphs [0003, 0027 and 0031]), 
wherein data associated with the customized instance comprises an indication of a user customization to script of the updated baseline instance based on the one or more user-customized feature (SaaS tracker service 300 may also provide an event manager 332 service for automatically tagging and labeling content for an SaaS application.  In one example, each tag may specify which function, and which version of the function, has modified content through an SaaS application – See paragraphs [0021, 0048, 0093].  An upgrade 120 is applied to first software product version 110 to provide a second software product version 130 of the software product, referred to as version 1.1 (v 1.1).  In one example, upgrade 120 includes an instruction for a first function update 122 and an instruction to remove second function 124 – See paragraphs [0027-0028]);
determining that the customized instance does not comply with the security policy based on the data associated with the customized instance (to ensure compatibility and security when determining whether to deliver a previous version of a function from a previous version of a software product, within a current version of a software product, metadata may be added to each functional element of each version of a software product to enable a determination of whether there are any compatibility or security issues for a current user interface or current operating system to expose a previous version of a function – See paragraphs [0032,0046,0050]);
generating instructions to be implemented by a user to apply the one or more modifications to the customized instance (upgrade 120 includes an instruction for a first function update 122 and an instruction to remove second function 124 – See paragraphs [0027-0028]).
Bankole also discloses
comparing the data associated with the updated baseline instance with the data associated with the customized instance (Maintaining different versions of a same product, however, requires additional computing resources for each software version and is time-consuming, requiring time to set up multiple versions of a software product and requiring the user to keep track of which version of the program the user needs to have open to use a particular function – See paragraph [0031]) to determine one or more modifications to the customized instance to bring the customized instance into compliance with the security policy (additional or alternate types of metadata may be collected and specified within could environment 350 for performing one or more of specifying compatibility and security requirements, tracking which 
It would have been obvious to one ordinary skill in the art before the effective filing date of claimed invention to use Bankole’s teaching into Allen’s invention because incorporating Bankole’s teaching would enhance Allen to manage user access to alternative version of a particular function of software as suggested by Bankole (paragraph [0001]).

Regarding claim 26, the system of claim 21,
Allen discloses
 wherein the operations comprise: 
storing the instructions and the one or more modifications (The offline patch information may contain a change log indicating all the changes made to the representative instance during the application of the update– See Col. 3, lines 64-67), wherein the stored instructions and the stored one or more modifications are used to bring another customized instance into compliance with the security policy (virtual machine instances may require periodic updates in order to comply with various policies, such as security policies.  To ensure compliance with the various policies one or more agent processes may be run to detect and remediate issues – Col. 1, lines 12-15.  The change log may also be used to generate the offline patch.  In various embodiments, the change log is used as the offline patch.  The change log may include information about what files or other data has been changed during execution of the update – See Col. 6, lines 51-55).

Regarding claim 27, the system of claim 21, 
Allen discloses
wherein the comparison occurs based on an audit schedule associated with the updated baseline instance, the customized instance, or both (the monitoring service may also generate the indirection map and store both the offline patch and indirection map in a storage system.  The monitoring service may, at some later point in time, determine that the deadline for applying one or more updates has expired.  The monitoring service may make this determination by using one or more timers, alarms, reminders or any other system capable of determining when a deadline has expired – See Col. 9, lines 62-67 and Col. 10, lines 1-3.  The process 500 includes receiving an update and a deadline or time period for which the update is to be applied 502.  The update may include an update to security policies, licensing policies, network policies, access polices, software updates, firmware updates, registry updates or update information corresponding to any component of a virtual machine capable of being updated – See Col. 9, lines 37-46).

Regarding claim 28, the system of claim 21, 
Allen discloses 
wherein determining the one or more modifications to the customized instance to bring the customized instance into compliance with the security policy comprises identifying that the one or more modifications were used to bring a previous instance into compliance with the security policy (services and replace the previous version of the image with the updated copy – See Col. 3, lines 37-49.  When a customer later requests the virtual machine image 408 be used to instantiate an instance of the virtual machine, the customer may be presented with the options of loading the updated version or loading a previous version and performing the update – Col. 9, lines 2-15).

Regarding claim 29, the system of claim 21, 
Allen discloses
wherein the baseline instance comprises an out-of- the-box version of a customer instance (The virtual machine images 308 may correspond to a virtual machine instance.  The virtual machine instance may be used by a customer—see Col. 6, lines 29-48).

Regarding claim 30. 
Allen and Bankole disclose
A processor-implemented method, comprising: 
Regarding claim 30, recites the same limitations as rejected claim 21 above.
	Regarding claim 33, recites the same limitations as rejected claim 26 above.
Regarding claim 34, recites the same limitations as rejected claim 28 above.

Regarding claim 35. 
Allen and Bankole disclose
A non-transitory computer-readable medium comprising computer readable code, that when executed by one or more processors, causes the one or more processors to perform operations comprising: 
Regarding claim 35, recites the same limitations as rejected claim 21 above.
	Regarding claim 39, recites the same limitations as rejected claim 26 above.
Regarding claim 40, recites the same limitations as rejected claim 28 above.

9.	Claims 22-23, 25, 31-32 and 36-38 is/are rejected under 35 U.S.C. 103 as being unpatentable over Allen and Bankole as applied to claims 21, 30 and 35 respectively above, and further in view of Suarez et al. (US Pub. No. 2017/0180346 A1 – art of record -- herein after Suarez).

Regarding claim 22, the system of claim 21, 
Bankole discloses
wherein comparing the data associated with the updated baseline instance with the data associated with the customized instance (Version identifiers may be used to keep track of incrementally different versions of the software product – See paragraph [0026]) comprises: 
matching a plurality of portions of script of the customized instance to a plurality of respective corresponding portions of the script of the updated baseline instance (application assets may include, but are not limited to, libraries, security policies, state requirements, and data schemas.  In one example, for every version of a function throughout multiple versions of an SaaS application, there may be a corresponding compatible selection of application assets that need to be managed and mapped out based on the particular version of the functions the user is expected to invoke.– see paragraph [0046]); and 
Bankole does not disclose
flagging an unassociated portion of the script of the customized instance for which the updated baseline instance does not have a corresponding portion of script.
Suarez discloses 
flagging an unassociated portion of the script of the customized instance for which the updated baseline instance does not have a corresponding portion of script (Unreferenced layers may include layers that have been flagged/marked as containing a security vulnerability (e.g., in the manner described in FIGS. 4 and 5) – See paragraph [0050]).
It would have been obvious to one ordinary skill in the art before the effective filing date of claimed invention to use Suarez’s teaching into Allen’s and Bankole’s invention because incorporating Suarez’s teaching would enhance Allen and Bankole to enable to flag as un-referenceable  script as suggested by Suarez (paragraph [0054]).

Regarding claim 23, the system of claim 22, 
Suarez discloses
wherein the instructions to be implemented by the user to apply the one or more modifications to the customized instance are applied to the unassociated portion of the script of customized instance (users/customer select – See paragraphs [0075 and 0080]. FIG. 3 illustrates an example 300 garbage collection of an embodiment of the present disclosure.  Specifically, FIG. 3 depicts a container image 352 comprising a series of six layers (labeled as subscripts 1, 2, 3, 4, 5, and 6) that has been uploaded to a registry 302, such as the container registry 202 of FIG. 2, three times (images 346A-46B) over three time periods – See Fig. 2 and paragraph [0046]).
It would have been obvious to one ordinary skill in the art before the effective filing date of claimed invention to use Suarez’s teaching into Allen’s and Bankole’s inventions because incorporating Suarez’s teaching would enhance Allen and Bankole to enable to delete/remove the previous version (i.e., the insecure version) of the container image from the repository as suggested by Suarez (paragraph [0050]).

Regarding claim 25, the system of claim 21, 
Suarez discloses
wherein comparing the data associated with the updated baseline instance with the data associated with the customized instance (the security sweep 454 searches the manifests of the first repository 452A for a match between the reference identifier 456 and the content-addressable identifiers 458 of the layers stored in the first repository 452A – See paragraph [0059]) comprises: 
determining a percentage change between script of the baseline instance and script of the customized instance (to deploy a new version of a container image 
It would have been obvious to one ordinary skill in the art before the effective filing date of claimed invention to use Suarez’s teaching into Allen’s and Bankole’s inventions because incorporating Suarez’s teaching would enhance Allen and Bankole to enable to deploy the new version to the next predetermined percentage or number of container instances if the previous deployment was successful as suggested by Suarez (paragraph [0100]).

Regarding claim 31, recites the same limitations as rejected claim 22 above.
Regarding claim 32, recites the same limitations as rejected claim 23 above.
Regarding claim 36, recites the same limitations as rejected claim 22 above.
Regarding claim 37, recites the same limitations as rejected claim 23 above.
Regarding claim 38, recites the same limitations as rejected claim 25 above.

10.	Claim 24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Allen and Bankole as applied to claim 21 above, and further in view of Abukhovsky (US Pub. No. 2018/0211045 A1 –IDS filed on 1/13/2020 -- herein after Abukhovsky).

Regarding claim 24, the system of claim 21, 
Abukhovsky discloses
wherein the operations comprise: 
receiving, via a graphical interface (GUI) (A user can fix the setting manually by clicking "Edit" or setting a group name link.  The Health Check Score Bar displays the Health Check score in the range from 0 to 100 – See paragraph [0029]), an input approving of the one or more modifications to the customized instance (The Security Health Check Update Service is responsible for updating security settings as requested by a user via fix it dialog – See paragraph [0029]); and 
implementing the one or more modifications to update the customized instance in response to receiving the input (The Security Health Check Service is responsible for retrieving and updating data as requested by the Security Dashboard Controller – See paragraph [0029]).
It would have been obvious to one ordinary skill in the art before the effective filing date of claimed invention to use Abukhovsky’s teaching into Allen’s and Bankole’s inventions because incorporating Abukhovsky’s teaching would enhance Allen and Bankole to enable to make security recommendations based on the security audit, and the administrator or developer may attempt to implement these security recommendations by user as suggested by Abukhovsky (paragraph [0004).

	Conclusion
11.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Chen et al. (US Pub. No. 2017/0116013 A1) discloses deploying one or more scripts in a first deployment instance, where the first deployment instance is deployed from a first shared computing environment.  The processor determines a difference 
Kotian (US Pub. No. 2017/0052776 A1) discloses enable the plurality of users to track patch files by automatically storing the plurality of scripts with updated comments from the plurality of users.  Further, a notification mechanism for alerting the plurality of authorized users about the change to the plurality of scripts is provided – See Abstract.
Zhang et al. (US Pub. No. 2015/0249681 A1) discloses a set of compliance policy updates are received.  The compliance policy updates are sent to workloads for application.  A status of the application of the compliance policies to the workloads is received from the workloads and output – See Abstract and specification for more details.
Ebrahimi et al. (US pub. No. 2014/0040314 A1) discloses service providers are continually challenged to deliver value and convenience to consumers by providing compelling network services and advancing the underlying technologies.  For example, service providers currently offer database management systems that enable businesses and other organizations to manage data access among various users – See Abstract and paragraphs [0001-0002]).
Raj et al. (US Pub. No. 2014/0380404 A1) discloses a security policy may also be multifunctional in that the security policy may include multiple security features or requirements.  A security policy may also be exhaustive in that all necessary security 

 11.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MONGBAO NGUYEN whose telephone number is (571)270-7180.  The examiner can normally be reached on Monday-Friday 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hyung S. Sough can be reached on 571-272-6799.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MONGBAO NGUYEN/Examiner, Art Unit 2192