DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 06/06/2022.
Status of claims in the instant application:
Claims 1-20 are pending.
No claim has been canceled.
Claims 1, 4, 7, 8, 11, 14, 15, 17 and 20 have been amended.
No new claim has been newly added.
Response to Arguments
Applicant’s arguments, see page [11] of the remarks filed on 06/06/2022, with respect to objections to drawings have been fully considered in view of the corrected drawings filed by the Applicant, and they are persuasive. Therefore, the drawing objections are withdrawn.
Applicant’s arguments, see page [11] of the remarks filed on 06/06/2022, with respect to objections to claims have been fully considered in view of the amended claims filed by the Applicant, and they are persuasive. Therefore, the claim objections are withdrawn.
Applicant’s arguments, see page [11-14] of the remarks filed on 06/06/2022, with respect to rejections of claims under 35 USC 103 have been fully considered in view of the claim amendments, and they are persuasive. Therefore, the claim rejections are withdrawn.
Allowable Subject Matter
Claims 1-20 are allowed.
The following are examiner's statement of reasons for allowance: The following prior arts were yielded during the examination of applicant’s amended claim set filed on 06/06/2022  in response to office action mailed on 05/26/2022. They do not explicitly teach the applicant’s claimed invention, in view of the amended claims, but are in general realm of applicant’s field of endeavor:
PGPUB US 20180025160 A1, Hwang et al.: Hwang is considered the prior art closest to the claimed invention of the instant application that discloses a method includes analyzing a given application to determine one or more packages utilized by the given application, the one or more packages comprising a plurality of libraries, identifying a subset of the plurality of libraries utilized by the given application, determining one or more dependent libraries for each of the identified libraries in the subset, generating a given container for the given application, the given container comprising the identified libraries in the subset and the dependent libraries for each of the identified libraries, performing risk analysis for the given container including comparing a risk value calculated for the given container to a designated risk threshold, simulating one or more actions in the given container responsive to the risk value calculated for the given container exceeding the designated risk threshold, and determining whether to accept or reject the given container responsive to the risk analysis and simulated actions.
The present application relates to computing, and more specifically, to applications. An application, also referred to as a compute instance herein, may be run in an operating system that includes a set of various applications and library packages. The compute instance, including the operating system, applications and such packages, may form part of a container with a large memory footprint. Embodiments of the invention provide techniques for generating containers for applications utilizing reduced sets of libraries based on risk analysis.
PGPUB US 2020/0394310 A1, Sloane et al.: Sloane discloses a system provides analysis of computer application vulnerabilities via multidimensional correlation and prioritization. The system may begin by generating a data repository of each application within a computing environment. Once the data repository is generated, the system may assess the dependencies, relationships, and vulnerabilities of the applications and processes used within the system. The system may perform assessments across multiple dimensions and/or metrics (e.g., impacts on users, devices, networks, applications, and/or data). Based on performing said assessments, the system may calculate relatedness and/or dependency scores across the dimensions or metrics, where the scores may be used to generate a prioritization scheme for making changes to application code or applying updates. The present disclosure embraces a system for analyzing and remediating computer application vulnerabilities via multidimensional correlation and prioritization. In particular, the system may analyze application interdependencies along multiple different metrics to determine the impact of changes made to the applications within the computing network.
	PAT US 10691810 B1, Freitag et al.: Freitag discloses methods and apparatuses are described for detecting vulnerabilities associated with a software application build. A server generates a software application build based upon a source code repository, including determining application dependencies of the software application build. The server identifies vulnerabilities associated with the application dependencies. For each identified vulnerability, the server creates an aspect class based upon a package file associated with the vulnerability, the aspect class comprising vulnerability logging code. The server integrates the created aspect classes into libraries of the application dependencies, generates a new package file based upon the application dependencies, and integrates the new package file into the software application build. The server executes the software application build, including generating log statements by calling the aspect classes in the new package file. The server analyzes the log statements to determine which of the identified vulnerabilities were invoked during execution of the software application build.
	This application relates generally to methods and apparatuses, including computer program products, for detecting vulnerabilities associated with a software application build. This disclosure provides methods and systems that enable the detection of vulnerabilities associated with a software application build during a development and testing phase of the related software application. The techniques described herein provide the advantage of automatically identifying specific vulnerabilities present in application dependencies and modifying the application build to generate actionable log statements when the code that contains the vulnerabilities is executed during a test, so that the vulnerabilities can be verified and remediated.
	PGPUB US 20200097662 A1, Hufsmith et al.: Hufsmith discloses  a process for determining threat scores for container images or distributed applications that consider the results of a multitude of different scanners and other factors such as context information which may include information about a given execution environment for the container image. Scanner results, or scanner properties, are determined for a container image or container images in a multi-container distributed application by various vulnerability scanners. The scanner properties determined by each vulnerability scanner are adjusted responsive to properties of the context and normalized to determine component threat scores for the container image. Then the component threat scores for the container image are combined to generate a combined threat score for the container image within the context of the execution environment.
	The present disclosure relates generally to tooling for software development related to distributed applications and, more specifically, to techniques that combine metrics of heterogeneous vulnerability scans of container images.
	PGPUB US 2021/0034413 A1, Ballantyne et al.: Ballantyne discloses a method, computer program product, and computer system for obtaining an input for a build. An initial orchestration job scheduler object may be obtained based upon the input for the build. A directed acyclic graph (DAG) may be determined based upon, at least in part, a dependency engine preprocessing. The DAG may be stored in a format. An array of steps may be built based upon, at least in part, the object, wherein the DAG may be translated from the object into a format readable by an initial orchestration job scheduler to build the array of steps. The array of steps may be executed to perform the build.
	This disclosure provides source code management repository containing pointers to each component repository may be used to provide a consistent snapshot in time across one or more repositories to obtain the input for the build. A repository may be cloned from the consistent snapshot to obtain the initial orchestration job scheduler object. The DAG may be translated from the object into a format readable by an initial orchestration job scheduler to build the array of steps. The array of steps may be aggregated. One or more systems associated with the build may be initialized for testing. The testing may be executed.
USPGPUB US 20200074084 A1, DORRANS et al.: DORRANS discloses tools and techniques to protect private configuration and operation information while obtaining pertinent data about known vulnerabilities of packages, runtimes, and software components of various kinds. Dependencies between software items may be traversed to get more complete vulnerability information. Version numbers and other telemetry about installed components, and operational events from installed components, may be exported from a system while nonetheless protecting the privacy of system-specific details. Privacy protections may include withholding private information from a repository or other vulnerability list source, using truncated hashes or fingerprints to select an obscuring subset of the available vulnerability list, anonymizing telemetry, aggregating telemetry, and other mechanisms. Vulnerability warnings may be given upon loading a component or launching an application, building a project, selecting a component for deployment, adding a component to a project or workspace, and other events. Updates to components may be performed to remove known vulnerabilities.
	USPGPUB US 20200159525 A1, Bhalla et al.: Bhalla discloses a automation of task identification and control in a software lifecycle. Software context for a software asset is extracted from context repositories of the software asset during software development and operation, the extracted context data is matched to relevant tasks in a knowledge database to select tasks for the software asset, and task prioritization and orchestration are presented in a prioritized task list during a software lifecycle.
However, none of the prior arts of record, alone or in combination, discloses the combination of limitations of the amended independent claims 1, 8 and 15; specifically they do not disclose the combination of claim limitations as recited in amended independent claims, “determining status results based on vulnerability and compliance scanning of all dependent sources for each data source image; aggregating the status results across all the data source images for each of the plurality of repositories, determining remediations for violations indicated by the aggregated status results; determining a lowest common source for the remediations of each of the violations of the vulnerability and compliance status results”.
Therefore, the independent claims are allowable over the prior arts. The dependent claims being definite, further limiting, and fully enabled by the specification are also allowed because of their dependence on the independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAHABUB S AHMED/Examiner, Art Unit 2434
/KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434