DETAILED ACTION
	Claims 21-40 are presented on 07/17/2020 for examination on merits.  Claims 21 and 31 are independent base claims.  Claims 1-20 are cancelled by preliminary amendment on 09/09/2020.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Applicant Arguments/Remarks or a section following the Remarks.

Examiner’s Note 
This Application No. 16/940,261, filed 07/27/2020 is a continuation of the parent application 16/383,523, which is filed on 04/12/2019, now U.S. Patent #10,725,775. The Application No. 16/383,523 is a division of the parent application 14/975,631, filed 12/18/2015, now U.S. Patent #10261782.  The Examiner determines that this Application is distinct and is not double patenting with the parent applications.

Specification
The abstract of the disclosure is objected to because it is inconsistent with the claimed invention.  For example, independent claims specifies updating a software container image within a container registry hosted by the computing resource service provider in response to a request from an entity associated with a customer account.  The Abstract is silent about any aspect for updating software or a software container image.  Correction is required.  See MPEP § 608.01(b).

Claim Objections
Claim 23 is objected to because of the following informalities:  
Claim 23 recites “a customer associated with the customer account” while the base claim 21 recites “an entity associated with a customer account.”  It appears that the customer and the entity are meant to be the same subject in different words.  For formality reasons, the Examiner suggests using consistent terminology for the same element in the claim.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claims 21-40 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claim 21 recites the limitation "updating software within the software container image…” unclearly, because the update is supposed to be performed on the software container image.  The receiving step specifies “a request to update a software container image within a container registry.”  However, it is confusing that, at the end of the sequence of the steps responding to the request, only the software within the software container image is updated, not the software container image. 
Claims 28 and 33 each recite a limitation for “updat[ing] software” (not the software container image) after “a request to update a software container image within a container registry.”  For the same reason as that given in claim 1, it is unclear how the request to update a software container image is handled.  
Claim 21 recites a limitation “as a result of said scanning, finding the reference identifier within the software container image, providing notice to the entity indicating that the security vulnerability was found” unclearly.  It is unclear whether the result of said scanning is finding the reference identifier within the software container image or providing notice of found vulnerability.
Claims 28 and 33 each recite a limitation for “as a result of said scanning” unclearly.
Claim 28 recites a limitation “as a result of execution” unclearly in the clause “memory including executable instructions that, as a result of execution by the one or more processors.”  The Examiner suggests changing to “as a result of the instructions being executed.”
Claims 22-27, 29-32, and 34-40 are also rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, because they depend from the rejected base claims 21, 28, and 33, respectively.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 21-23, 26-30, 32-38, and 40 are rejected under 35 U.S.C. 103 as being unpatentable over Antony (US 20160381058 A1) in view of Goetz (US 20150220561 A1).

As per claim 21, Antony teaches a computer implemented method (Antony, the Abstract: Techniques for security scanning of containers executing within VMs; scans the 
receiving, … a request to update a software container image within a container registry hosted by the computing resource service provider … (Antony, par. 0004 and 0017: receiving a request … from a client… to perform a scan for security threats within a container executing within a virtual machine.  Antony discloses installing a new application within the container, which inherently involves updating a software container image within a container registry hosted by the computing resource service provider); 
scanning a layer of the software container image stored in the container registry for a reference identifier associated with a security vulnerability (Antony, par. 0019-0021: a security scan for any particular container involves scanning the entire VMDK. This means that if security scanning is desired for only one container or a subset of containers executing in a VM 116, the subset including layers of container; see par. 0013-0015 and 0024); 
as a result of said scanning, finding the reference identifier within the software container image (Antony, par. 0029: each scan catalog entry 302 includes a container identifier, an identifier of the VM in which the container resides, and the threat status for the container; see container ID and container threat status columns in FIG. 3), 
providing notice to the entity indicating that the security vulnerability was found (Antony, par. 0034: At step 420, security scanner 202 determines whether container scan catalog 204 indicates that all containers 126 in a particular VM 116 have a threat for which removal failed.  Note here that Antony’s threat indication is a notice of found vulnerability)
updating software within the software container image based at least in part on the result of said scan (Antony, par. 0031-0032: known threat scanning software; At step 406, security scanner 202 determines whether a threat is found within the container disk file that is scanned. If a threat is not detected, then the method proceeds to step 408, which allows the container …to power on to execute updated software within the software container image); and 
Antony, par. 0017: to deploy a new container or to update an already existing container…for deployment.  In Antony, container daemon 124 is a process that enables the deployment; par. 0015).

However, Antony does not explicitly disclose storing the software container image in association with the customer account and an entity being associated with a customer account with a computing resource service provider and the container registry being a scalable distributed data storage service. These aspects are identified as a difference.
In a related art, Goetz teaches:
storing, in the container registry, the software container image in association with the customer account (Goetz, par. 0019, 0057, 0063, and 0141: store or provide identifying information associated with the different addressable elements in the cluster--specifically the cluster wherein the cluster controller 318 includes a registry of VM information 319 … with a user account; see FIGS 6-7: a user account storage structure); 
receiving the request … from an entity associated with a customer account with a computing resource service provider (Goetz, par. 0140-0141: User 502 may create a plurality of containers 702 in the user account 700 and store a plurality of data objects 704.  Note that creating contains is performed via a user request);
the container registry being a scalable distributed data storage service (Goetz, par. 0004 and 0012: scalable; par. 0029: scaling resources provided by the cloud).
Antony and Goetz are analogous art, because they are in a similar field of endeavor in improving deployment of containers.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Goetz to modify Antony to include the customer account information for communicating with resource service provider for updating the container registry in the process of updating software 

As per claim 22, the references as combined above teach the computer implemented method of claim 21, further comprising deleting the software container image from the container registry (Antony, par. 0034-0035: removing the container from network fabric 217).

As per claim 23, the references as combined above teach the computer implemented method of claim 21, wherein an encryption key for encrypting the software container image is managed by a customer associated with the customer account (Goetz, par. 0073-0075: keys, credentials or an identifying token are … uniquely known or controlled by the user; par. 0121: Create, Upload, Delete Buckets and Keys).

As per claim 26, the references as combined above teach the computer implemented method of claim 21, further comprising storing, in a registry metadata service, metadata about the software container image (Goetz, par. 0173: metadata stored as extended attributes of the file in the filesystem used by the object storage service. In such an embodiment, the object service 508 will uses the extended attributes of the filesystem to manage the metadata; par. 0067 and 0113: metadata attributes and associated values are stored in a metadata container that is stored in a system).

As per claim 27, the references as combined above teach the computer implemented method of claim 26, wherein the registry metadata service is a structured data storage service (Goetz, par. 0053: the cluster controller 318 includes a registry of VM information 319, in which non-security-related metadata associated with them, such as names, companies, email addresses, locations, etc. are stored in user accounts; par. 0067, 0184, and 0249).

As per claim 28, Antony teaches a system, comprising: 
one or more processors (Goetz, par. 0013: processor 106A; CPU 106); and 
memory including executable instructions (Goetz, par. 0013: memory 10) that, as a result of execution by the one or more processors, cause the system to: 
receive, …. a request to update a software container image within a container registry hosted by the computing resource service provider (Antony, par. 0004 and 0017: receiving a request … from a client… to perform a scan for security threats within a container executing within a virtual machine.  Antony discloses installing a new application within the container, which inherently involves updating a software container image within a container registry hosted by the computing resource service provider); 
scan a layer of the software container image stored in the container registry for a reference identifier associated with a security vulnerability (Antony, par. 0019-0021: a security scan for any particular container involves scanning the entire VMDK. This means that if security scanning is desired for only one container or a subset of containers executing in a VM 116, the subset including layers of container; see par. 0013-0015 and 0024); 
as a result of said scan, find the reference identifier within the software container image (Antony, par. 0029: each scan catalog entry 302 includes a container identifier, an identifier of the VM in which the container resides, and the threat status for the container; see container ID and container threat status columns in FIG. 3), 
providing notice to the entity indicating that the security vulnerability was found (Antony, par. 0034: At step 420, security scanner 202 determines whether container scan catalog 204 indicates that all containers 126 in a particular VM 116 have a threat for which removal failed.  Note here that Antony’s threat indication is a notice of found vulnerability);
update software within the software container image based at least in part on the result of said scan (Antony, par. 0031-0032: known threat scanning software; At step 406, security 
deploy the updated software (Antony, par. 0017: to deploy a new container or to update an already existing container…for deployment.  In Antony, container daemon 124 is a process that enables the deployment; par. 0015).
However, Antony does not explicitly disclose storing the software container image in association with the customer account and an entity being associated with a customer account with a computing resource service provider and the container registry being a scalable distributed data storage service. These aspects are identified as a difference.
In a related art, Goetz teaches:
store, in the container registry, the software container image in association with the customer account (Goetz, par. 0019, 0057, 0063, and 0141: store or provide identifying information associated with the different addressable elements in the cluster--specifically the cluster wherein the cluster controller 318 includes a registry of VM information 319 … with a user account; see FIGS 6-7: a user account storage structure); 
receiving the request … from an entity associated with a customer account with a computing resource service provider (Goetz, par. 0140-0141: User 502 may create a plurality of containers 702 in the user account 700 and store a plurality of data objects 704.  Note that creating contains is performed via a user request);
the container registry being a scalable distributed data storage service (Goetz, par. 0004 and 0012: scalable; par. 0029: scaling resources provided by the cloud).
Antony and Goetz are analogous art, because they are in a similar field of endeavor in improving deployment of containers.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Goetz to modify Antony to include the customer account information for communicating with 
 
As per claim 29, the references as combined above teach the system of claim 28, wherein the executable instructions further include instructions that cause the system to obtain a manifest that contains metadata about a set of container image layers comprising the software container image stored in the container registry (Goetz, par. 0173: metadata stored as extended attributes of the file in the filesystem used by the object storage service. In such an embodiment, the object service 508 will uses the extended attributes of the filesystem to manage the metadata; par. 0067 and 0113: metadata attributes and associated values are stored in a metadata container that is stored in a system).

As per claim 30, the references as combined above teach the system of claim 28, wherein the executable instructions further include instructions that cause the system to: 
receive a user-specified tag to apply to the software container image (Goetz, par. 0071: the tag "developers"); and 
apply the user-specified tag to the software container image stored in the container registry (Goetz, par. 0071: The development group may include a group of users with the tag "developers" and a group of virtual machine resources ("developer machines"); par. 0053: the cluster controller 318 includes a registry of VM information 319.  In Goetz, the tag "developers, when applied to the software container image, inherently represents a cluster stored in the registry).

As per claim 32, the references as combined above teach the system of claim 28, wherein the executable instructions that cause the system to update the software include 126 in a VM 116 do not have a threat).

As per claim 33, Antony teaches a non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by a processor of a computer system, cause the computer system to at least: 
receive, … a request to update a software container image within a container registry hosted by the computing resource service provider …(Antony, par. 0004 and 0017: receiving a request … from a client… to perform a scan for security threats within a container executing within a virtual machine.  Antony discloses installing a new application within the container, which inherently involves updating a software container image within a container registry hosted by the computing resource service provider); 
scan a layer of the software container image stored in the container registry for a reference identifier associated with a security vulnerability (Antony, par. 0019-0021: a security scan for any container involves scanning the entire VMDK. This means that if security scanning is desired for only one container or a subset of containers executing in a VM 116, the subset including layers of container; see par. 0013-0015 and 0024); 
as a result of said scan, find the reference identifier within the software container image (Antony, par. 0029: each scan catalog entry 302 includes a container identifier, an identifier of the VM in which the container resides, and the threat status for the container; see container ID and container threat status columns in FIG. 3), 
providing notice to the entity indicating that the security vulnerability was found (Antony, par. 0034: At step 420, security scanner 202 determines whether container scan catalog 204 
update software within the software container image based at least in part on the result of said scan (Antony, par. 0031-0032: known threat scanning software; At step 406, security scanner 202 determines whether a threat is found within the container disk file that is scanned. If a threat is not detected, then the method proceeds to step 408, which allows the container …to power on to execute updated software within the software container image); and 
deploy the updated software (Antony, par. 0017: to deploy a new container or to update an already existing container…for deployment.  In Antony, container daemon 124 is a process that enables the deployment; par. 0015).

However, Antony does not explicitly disclose storing the software container image in association with the customer account and an entity being associated with a customer account with a computing resource service provider and the container registry being a scalable distributed data storage service. These aspects are identified as a difference.
In a related art, Goetz teaches:
store, in the container registry, the software container image in association with the customer account (Goetz, par. 0140-0141: User 502 may create a plurality of containers 702 in the user account 700 and store a plurality of data objects 704.  Note that creating contains is performed via a user request);
the container registry being a scalable distributed data storage service (Goetz, par. 0004 and 0012: scalable; par. 0029: scaling resources provided by the cloud).
Antony and Goetz are analogous art, because they are in a similar field of endeavor in improving deployment of containers.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Goetz to modify Antony to include the customer account information for communicating with 

As per claim 34, the references as combined above teach the non-transitory computer-readable storage medium of claim 33, wherein the executable instructions further include instructions that cause the computer system to store, in a registry metadata service, metadata about the software container image (Goetz, par. 0173-0174: For example, an object service 508 may be included on a server that further includes one or more storage drives that provide a storage pool for objects. In one embodiment, the objects are stored as binary files with metadata stored as extended attributes of the file in the filesystem used by the object storage service; processing based on file metadata is also pluggable).

As per claim 35, the references as combined above teach the non-transitory computer-readable storage medium of claim 34, wherein the registry metadata service is a structured data storage service (Goetz, par. 0184-0185 and 0240: A second implementation includes a structured data service. The structured data service may include instructions; handle the storage and manipulation of authorization metadata so that the authorization service is operable to store, retrieve, delete, and query stored credentials from in the storage pools 514).

As per claim 36, the references as combined above teach the non-transitory computer-readable storage medium of claim 33, wherein the executable instructions further include instructions that cause the computer system to: 
receiving a command to deploy a software application that is based at least in part on the software container image (Antony, par. 0004 and 0017: receiving a request … from a client… to perform a scan for security threats within a container and … to update a software 
deploying, based at least in part on the software container image stored in the container registry, the software application using a cluster of container instances (Goetz, par. 0019, 0057, 0063, and 0141: store or provide identifying information associated with the different addressable elements in the cluster--specifically the cluster wherein the cluster controller 318 includes a registry of VM information 319 … with a user account; see FIGS 6-7: a user account storage structure).

As per claim 37, the references as combined above teach the non-transitory computer-readable storage medium of claim 36, wherein the cluster of container instances is associated with the customer account (Goetz, par. 0073-0075: keys, credentials or an identifying token are … uniquely known or controlled by the user … for processing and storing container instances).

As per claim 38, the references as combined above teach the non-transitory computer-readable storage medium of claim 36, wherein the executable instructions that cause the computer system to deploy the software application further include instructions that cause the computer system to deploy the software application in response to a command received via an application programming interface (Goetz, par. 0029: Application Programming Interface (API) that allows developers to declaratively request or command the backend storage, computation, and scaling resources provided by the cloud … to directly request the provisioning of resource).

As per claim 40, the references as combined above teach the non-transitory computer-readable storage medium of claim 36, wherein the executable instructions that cause the computer system to deploy the updated software further include instructions that cause the computer system to redeploy the software application using the updated image (Antony, par. .

Claims 25 and 39 are rejected under 35 U.S.C. 103 as being unpatentable over Antony and Goetz, as applied to claim 21, further in view of Selitser (US 20120173715 A1; hereinafter “Selit”).
As per claim 25, the references of Antony and Goetz as combined above teach the computer implemented method of claim 21, but do not explicitly disclose specifying to perform a rollback of the software container image. This aspect of the claim is identified as a further difference.
In a related art, Selit teaches:
further comprising obtaining an instruction that specifies, on a condition that the security vulnerability is found, to perform a rollback of the software container image (Selit, par. 0086 and 0108: the container can begin a transaction … collect any state changing and external communication in this transaction … to roll back the actor the state it was before the event arrived).
Selit is analogous art to the claimed invention in a similar field of endeavor in improving deployment of containers.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify  to Antony- Goetz system to include a rollback function for the software application to go back to a previous version of the software container image. For this combination, the motivation would have been to improve the flexibility of the container and friendliness of user experience.

As per claim 39, the references as combined above teach the non-transitory computer-readable storage medium of claim 36, but do not explicitly disclose specifying to perform a 
In a related art, Selit teaches:
wherein the executable instructions further include instructions that cause the computer system, prior to updating the software, to roll back the software application using a previous version of the software container image stored in the container registry (Selit, par. 0086 and 0108: the container can begin a transaction … collect any state changing and external communication in this transaction … to roll back the actor the state it was before the event arrived).
Selit is analogous art to the claimed invention in a similar field of endeavor in improving deployment of containers.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify  to Antony- Goetz system to include a rollback function for the software application to go back to a previous version of the software container image. For this combination, the motivation would have been to improve the flexibility of the container and friendliness of user experience.

Allowable Subject Matter
Claim 24 and 31 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The claims 24 and 31 each recite elements of “image layers stored as encrypted image layers in a data object store assigned to the customer account” or “to store the encrypted software image in association with the customer account” after encrypting the software container image to produce an encrypted software image.  These elements, when considered as a whole in combination with the other limitations in the base claims 21 and 28, are not anticipated by, nor made obvious over the prior art of record.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        02/24/2022