DETAILED ACTION

A response was received on 21 March 2022.  The amendments were not fully compliant with the provisions of 37 CFR 1.121, as discussed in the telephonic interview conducted 05 May 2022.  See the interview summary mailed 06 May 2022 for further detail.
A supplemental response was received on12 May 2022 and has been entered as per 37 CFR 1.111(a)(2)(i) as directed to correction of informalities.  By this supplemental response, Claims 1-3, 5, 8-11, and 15-17 have been amended.  Claims 4, 6, 7, 12-14, and 18-20 have been canceled.  No new claims have been added.  Claims 1-3, 5, 8-11, and 15-17 are currently pending in the present application.

Response to Arguments

Applicant’s arguments with respect to the rejection of Claims 1, 2, 9, 10, 15, and 16 under 35 U.S.C. 102(a)(1) and the rejection of Claims 3-8, 11-14, and 17-20 under 35 U.S.C. 103 have been considered but are moot in view of the new grounds of rejection set forth below.
Applicant's arguments filed 21 March 2022 have been fully considered but they are not persuasive.
Regarding the rejection of Claims 1-20 under 35 U.S.C. 112(b) as indefinite, Applicant argues that “the image” has proper antecedent basis in “an image among the plurality of container images” (pages 13-14 of the 21 March 2022 response).  However, because the claim recites plural images, the phrase “the image” remains unclear as to which of the plural images it is intended to refer.  Although Applicant asserts that this refers to the searched image, it is noted that the claim even recites that the repository includes the plurality of container images, so the reference to, for example, extracting “the image from the repository” is still unclear because there are plural images in the repository.  This rejection could be addressed by providing a more specific limitation on the image that is searched for (e.g. by referring to it as a “first image” or similar) such that it could be referred to in a way that explicitly distinguishes it from the other images in the plurality of images.
Therefore, for the reasons detailed above, the Examiner maintains the rejections as set forth below.

Drawings

The objection to the drawings for informalities is withdrawn in light of the amendments to the specification and drawings.  The objection to the drawings for failure to comply with 37 CFR 1.84(p)(5) is NOT withdrawn, because the amendments have raised new issues, as detailed below.
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they do not include the following reference sign(s) mentioned in the description: 1 (see amended paragraph 0056).  Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 1503 (see Figure 15.  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.




Specification

The objection to the disclosure for informalities is NOT withdrawn, because the amendments have raised new issues and/or not all issues have been addressed, as detailed below.
The disclosure is objected to because of the following informalities:  
The specification includes minor grammatical and other errors.  For example, in paragraph 0026, the phrase “Vulnerabilities and Exposures” does not clearly reflect the abbreviation “CVE”.
Appropriate correction is required.  Applicant’s cooperation is again requested in correcting any errors of which applicant may become aware in the specification.
The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter.  See 37 CFR 1.75(d)(1) and MPEP § 608.01(o).  Correction of the following is required:  Independent Claims 1, 9, and 15 have each been amended to recite “a success rate of the scan of the initial version”.  There appears to be no mention of such a success rate in the specification, and therefore, there is not proper antecedent basis for this claimed subject matter in the specification.  For further detail, see below with respect to the rejection under 35 U.S.C. 112(a) for failure to comply with the written description requirement.



Claim Objections

The objections to Claims 1-3, 6-11, 13-17, 19, and 20 for informalities is withdrawn (or moot) in light of the amendments to (or cancellation of) the claims.

Claim Rejections - 35 USC § 112

The rejection of Claims 4, 6, 7, 12-14, and 18-20 under 35 U.S.C. 112(b) as indefinite is moot in light of the cancellation of the claims.  The rejection of Claims 1-3, 5, 8-11, and 15-17 is NOT withdrawn, because not all issues have been addressed and/or because the amendments have raised new issues, as detailed below.
The following is a quotation of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-3, 5, 8-11, and 15-17 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Independent Claims 1, 9, and 15 have each been amended to recite “a success rate of the scan of the initial version”.  Applicant cites paragraphs 0038 and 0053-0055 of the published specification for support for the claims as amended (see page 12 of the 21 March 2022 response).  However, although these paragraphs generally mention a success rate of updated CVEs or updated security rules, there is no mention in these paragraphs or elsewhere in the specification of a success rate of a scan of an initial version of an image.  There appears to be no mention of such a success rate in the specification, and therefore, there is not clear written description of this claimed subject matter in the specification.
Claims not specifically referred to above are rejected due to their dependence on a rejected base claim.

The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-3, 5, 8-11, and 15-17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites “the image” in line 10 and throughout the claim; however, the claim previously recited a plurality of container images, and it is not clear to which of the plural images these limitations are intended to refer.  The claim further recites “a container” in line 23.  It is not clear if this is intended to refer to the image container recited in line 12 or to a distinct container.  The claim additionally recites “with security updates” in line 24.  It is not grammatically clear what this phrase is intended to modify.  The claim also recites “the updated container” in lines 25-26.  There is not clear antecedent basis for this limitation in the claim.  The claim further recites “a success rate of the scan of the initial version” in line 39.  It is not clear how a representation of a comparison between first and second scan results would indicate a success rate of a scan, nor is it clear how a successful scan would be defined or determined.  These ambiguities render the claim indefinite.
Claim 3 recites “the image” in lines 8 and 12.  Because Claim 1 recites a plurality of container images, it is not clear to which of the plural images these limitations are intended to refer.
Claim 8 recites “the image” in line 11.  Because Claim 1 recites a plurality of container images, it is not clear to which of the plural images these limitations are intended to refer.
Claim 9 recites “the image” in line 7 and throughout the claim; however, the claim previously recited a plurality of container images, and it is not clear to which of the plural images these limitations are intended to refer.  The claim further recites “a container” in line 18.  It is not clear if this is intended to refer to the image container recited in line 9 or to a distinct container.  The claim additionally recites “with security updates” in line 19.  It is not grammatically clear what this phrase is intended to modify.  The claim also recites “the updated container” in line 20.  There is not clear antecedent basis for this limitation in the claim.  The claim further recites “a success rate of the scan of the initial version” in line 34.  It is not clear how a representation of a comparison between first and second scan results would indicate a success rate of a scan, nor is it clear how a successful scan would be defined or determined.  These ambiguities render the claim indefinite.
Claim 11 recites “the image” in lines 8 and 12.  Because Claim 9 recites a plurality of container images, it is not clear to which of the plural images these limitations are intended to refer.  
Claim 15 recites instructions to cause a processor “to: … extracting” in line 8.  This is grammatically unclear, although it appears that these are intended to read “to… extract”.  The claim further recites “the image” in line 8 and throughout the claim; however, the claim previously recited a plurality of container images, and it is not clear to which of the plural images these limitations are intended to refer.  The claim further recites “a container” in line 20.  It is not clear if this is intended to refer to the image container recited in line 9 or to a distinct container.  The claim additionally recites “with security updates” in line 21.  It is not grammatically clear what this phrase is intended to modify.  The claim also recites “the updated container” in line 22.  There is not clear antecedent basis for this limitation in the claim.  The claim further recites “a success rate of the scan of the initial version” in line 36.  It is not clear how a representation of a comparison between first and second scan results would indicate a success rate of a scan, nor is it clear how a successful scan would be defined or determined.  These ambiguities render the claim indefinite.
Claim 17 recites “the image” in lines 9-10 and 13.  Because Claim 15 recites a plurality of container images, it is not clear to which of the plural images these limitations are intended to refer.  
Claims not specifically referred to above are rejected due to their dependence on a rejected base claim.

Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 8-11, and 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over Stopel et al, US Patent Application Publication 2017/0109536, in view of Martin et al, “Docker ecosystem – Vulnerability Analysis”, and Nickolov et al, US Patent 10142204.
In reference to Claim 1, Stopel discloses a system for identifying security vulnerabilities that includes a memory and processor (see Figure 5) storing and executing instructions to access a repository that includes a plurality of container images (Figure 3, image registry 330; paragraph 0031) and searching the repository for an image and extracting the image (paragraphs 0059-0069; Figure 6, steps S610-S630), where the image includes layered code files to generate an image container configured to deploy an application to run on an operating system (see paragraph 0007); identifying and scanning an initial version of the extracted image for identifiable security vulnerabilities having CVE identification numbers stored in a security vulnerability database (paragraph 0035; paragraphs 0043-0045; Figure 6, step S650); generating a container based on the image (see Figure 1); and generating and storing a first scan result listing the identified vulnerabilities (Figure 6, steps S660 through end; paragraph 0068).  However, Stopel does not explicitly disclose updating the container.
Martin discloses rebuilding a container and image based on updates (see section 4.1).  In combination, this suggests scanning the updated image and generating and storing second scan results listing the identified vulnerabilities and comparing vulnerabilities (Stopel, paragraphs 0035, 0043-0045, and 0068; Figure 6, steps S650 through end; Martin, section 4.1).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Stopel to include the updating of the container and comparing vulnerabilities as taught by Martin, in order to allow security updates to be incorporated into the rebuilt container (see Martin, section 4.1).
However, neither Stopel nor Martin explicitly discloses a graphical representation of a comparison between first and second scan results.  Nickolov discloses an interface displaying a comparison of different images to a user showing a comparison of vulnerabilities (see column 41, line 17-column 42, line 5).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the system of Stopel to include the display taught by Nickolov, in order to allow the user to assess the reliability of configuration changes (see Nickolov, column 40, lines 45-55).
In reference to Claim 2, Stopel, Martin, and Nickolov further disclose that the processor is adapted to update the security vulnerability database in response to a triggering event including time interval or a request (see Stopel, paragraphs 0035, 0043).
In reference to Claim 3, Stopel, Martin, and Nickolov further disclose storing the updates in the database and the updated version of the image (see Martin, section 4.1).
In reference to Claim 5, Stopel, Martin, and Nickolov further disclose severity ratings that are used to automatically update the container (see Martin, section 3.4).
In reference to Claim 8, Stopel, Martin, and Nickolov further disclose a user interface displaying scan results, scan histories, and vulnerability comparisons, and  generating files (Stopel, paragraphs 0035, 0043-0045, and 0068; Figure 6, steps S650 through end; Martin, section 4.1; Nickolov, column 41, line 17-column 42, line 5).

Claims 9-11 are directed to methods corresponding to the functionality of the systems of Claims 1-3, and are rejected by a similar rationale, mutatis mutandis.
Claims 15-17 are directed to software implementations of the methods of Claims 9-11, and are rejected by a similar rationale.

Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Zachary A Davis whose telephone number is (571)272-3870. The examiner can normally be reached Monday-Friday, 9:30am-6:00pm, Eastern Time.
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Zachary A. Davis/Primary Examiner, Art Unit 2492