DETAILED ACTION

Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 20 September 2022 has been entered.
By the above submission, Claims 1-3, 5, 8-11, and 15-17 have been amended.  No claims have been added or canceled.  Claims 1-3, 5, 8-11, and 15-17 are currently pending in the present application.

Response to Arguments

Applicant’s arguments with respect to the rejection of Claims 1-3, 5, 8-11, and 15-17 under 35 U.S.C. 103 have been considered but are moot in view of the new grounds of rejection set forth below.



Drawings

The objections to the drawings under 37 CFR 1.84(p)(5) are withdrawn in light of the amendments to the specification.

Specification

The objection to the specification for failure to provide proper antecedent basis for the claimed subject matter is withdrawn in light of the amendments to the claims.  The objection to the disclosure for informalities is NOT withdrawn, because the amendments have raised new issues, as detailed below.
The disclosure is objected to because of the following informalities:  
In paragraph 0026, line 2 (see page 2 of the present response), the phrase “(CVEs) CVEs” is grammatically unclear and redundant, and it also appears that this includes an unmarked amendment which is not in compliance with the requirements of 37 CFR 1.121(b)(1)(ii).  
Appropriate correction is required.  Applicant’s cooperation is again requested in correcting any errors of which applicant may become aware in the specification.  Applicant is reminded that all amendments must comply fully with the provisions of 37 CFR 1.121.


Claim Objections

Claims 1, 2, 9, 10, 16, and 17 are objected to because of the following informalities:
In Claim 1, line 32, one instance of “the” should be deleted from the phrase “the the first image”.
In Claim 2, line 6, “a group” should read “the group” for definition of a proper Markush group.  See MPEP § 2173.05(h).
In Claim 9, line 27, one instance of “the” should be deleted from the phrase “the the first image”.
In Claim 10, line 6, “a group” should read “the group” for definition of a proper Markush group.  See MPEP § 2173.05(h).
In Claim 15, line 29, one instance of “the” should be deleted from the phrase “the the first image”.
In Claim 16, line 7, “a group” should read “the group” for definition of a proper Markush group.  See MPEP § 2173.05(h).
Appropriate correction is required.

Claim Rejections - 35 USC § 112

The rejection of Claims 1-3, 5, 8-11, and 15-17 under 35 U.S.C. 112(a) for failure to comply with the written description requirement is withdrawn in light of the amendments to the claims.  The rejection of Claims 1-3, 5, 8-11, and 15-17 under 35 U.S.C. 112(b) as indefinite is NOT withdrawn, because not all issues have been addressed and/or because the amendments have raised new issues, as detailed below.
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-3, 5, 8-11, and 15-17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites “a first image” in line 10.  It is not clear whether this is intended to refer to the same image that is searched for in line 8 or to a distinct image.  The claim further recites “and for purpose of a vulnerability rectification” in lines 14-15.  It is not grammatically clear what this phrase is intended to modify or be coordinated with.  The claim additionally recites “a success rate for the security patches via a comparison between the first scan result and the second scan result” in lines 44-46.  It is not clear how the success rate for the patches is defined, and the specification does not clearly define how the subjective term “success” would be defined or provide a clear standard of comparison.  See MPEP § 2173.05(b).  Further, it is not clear what in the first and second scan results is actually being compared.  The above ambiguities render the claim indefinite.
Claim 2 recites “automatically update the security rules and CVE in response to a triggering event” in lines 3-4; however, Claim 1 also recites “automatically update the security rules and CVE”.  It is not clear whether the step in Claim 2 is intended to be a separate step of updating the rules or if it is intended to be a further limitation on the step in Claim 1.
Claim 3 recites “the first image” in line 5.  It is not clear whether this is intended to refer to the original version of the first image or the updated version of the first image.
Claim 5 recites “the severity ratings for at least one of the identified security vulnerabilities for the first image reaches a threshold level” in lines 5-6.  The verb “reaches” does not agree with the plural subject “ratings”.
Claim 8 recites “the first image information” in line 11.  However, although the claim recites image information, there is not clear antecedent basis for “first image information”.
Claim 9 recites “a first image” in line 7.  It is not clear whether this is intended to refer to the same image that is searched for in line 5 or to a distinct image.  The claim further recites “and for purpose of a vulnerability rectification” in lines 10-11.  It is not grammatically clear what this phrase is intended to modify or be coordinated with.  The claim also recites “automatically update” in line 20.  This is not in parallel grammatical structure with the other claimed steps.  The claim additionally recites “a success rate for the security patches via a comparison between the first scan result” in lines 38-39.  It is not clear how the success rate for the patches is defined, and the specification does not clearly define how the subjective term “success” would be defined or provide a clear standard of comparison.  See MPEP § 2173.05(b).  Further, it is not clear what is actually being compared, and the phrase “between the first scan result” is grammatically unclear because it is not clear what two items this is between.  The above ambiguities render the claim indefinite.
Claim 10 recites “automatically updating the security rules and CVE in response to a triggering event” in lines 3-4; however, Claim 9 also recites “automatically updating the security rules and CVE”.  It is not clear whether the step in Claim 10 is intended to be a separate step of updating the rules or if it is intended to be a further limitation on the step in Claim 9.
Claim 11 recites “the first image” in line 5.  It is not clear whether this is intended to refer to the original version of the first image or the updated version of the first image.
Claim 15 recites “a first image” in line 8.  It is not clear whether this is intended to refer to the same image that is searched for in line 6 or to a distinct image.  The claim further recites “and for purpose of a vulnerability rectification” in lines 12-13.  It is not grammatically clear what this phrase is intended to modify or be coordinated with.  The claim additionally recites “a success rate for the security patches via a comparison between the first scan result and the second scan result” in lines 39-41.  It is not clear how the success rate for the patches is defined, and the specification does not clearly define how the subjective term “success” would be defined or provide a clear standard of comparison.  See MPEP § 2173.05(b).  Further, it is not clear what in the first and second scan results is actually being compared.  The above ambiguities render the claim indefinite.
Claim 16 recites “automatically update the security rules and CVE in response to a triggering event” in lines 4-5; however, Claim 15 also recites “automatically update the security rules and CVE”.  It is not clear whether the step in Claim 16 is intended to be a separate step of updating the rules or if it is intended to be a further limitation on the step in Claim 15.
Claim 17 recites “the first image” in line 6.  It is not clear whether this is intended to refer to the original version of the first image or the updated version of the first image
Claims not specifically referred to above are rejected due to their dependence on a rejected base claim.

Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 8-11, and 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over Stopel et al, US Patent Application Publication 2017/0109536, in view of Nadgowda et al, US Patent 10896260 (previously cited in the Office action mailed 22 December 2021), Martin et al, “Docker ecosystem – Vulnerability Analysis”, and Nickolov et al, US Patent 10142204.
In reference to Claim 1, Stopel discloses a system for identifying security vulnerabilities that includes a memory and processor (see Figure 5) storing and executing instructions to access a repository that includes a plurality of container images (Figure 3, image registry 330; paragraph 0031) and searching the repository for a first image and extracting the first image (paragraphs 0059-0069; Figure 6, steps S610-S630), where the first image includes layered code files to generate an interactive image container configured to deploy an application to run on an operating system (see paragraph 0007, where the container is interacted with by various applications/software); scanning the extracted first image for identifiable security vulnerabilities based on a set of security rules and CVEs having CVE identification numbers stored in a security vulnerability database (paragraph 0035; paragraphs 0043-0045; Figure 6, step S650); generating a container based on the first image (see Figure 1); and generating and storing a first scan result listing the identified vulnerabilities (Figure 6, steps S660 through end; paragraph 0068).  However, Stopel does not explicitly disclose updating the image or container.
Nadgowda discloses a system that includes instantiating an image for the purpose of rectifying vulnerabilities in a first image (column 4, line 63-column 5, line 56, and Figure 3), updating the image by executing a set of security patches to remedy identified security vulnerabilities and updating rules and CVEs (column 4, line 63-column 5, line 56, updates to fix vulnerabilities), and a success rate of the security patches (column 4, lines 46-62, and Figure 2).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Stopel to include the security patches as taught by Nadgowda, in order to remedy the vulnerabilities (see Nadgowda, column 4, lines 46-62).
However, although Nadgowda discloses updating the image and generally also discloses containers, neither Stopel nor Nadgowda explicitly discloses updating the container.  Martin discloses rebuilding a container and image based on updates (see section 4.1).  In combination, this suggests scanning the updated image and generating and storing second scan results listing the identified vulnerabilities and comparing vulnerabilities (Stopel, paragraphs 0035, 0043-0045, and 0068; Figure 6, steps S650 through end; Martin, section 4.1).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the system of Stopel to include the updating of the container and comparing vulnerabilities as taught by Martin, in order to allow security updates to be incorporated into the rebuilt container (see Martin, section 4.1).
However, although Nadgowda discloses a report of remedies for vulnerabilities, none of Stopel, Nadgowda, nor Martin explicitly discloses a graphical representation of a comparison between first and second scan results.  Nickolov discloses an interface displaying a comparison of different images to a user showing a comparison of vulnerabilities (see column 41, line 17-column 42, line 5).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the system of Stopel to include the display taught by Nickolov, in order to allow the user to assess the reliability of configuration changes (see Nickolov, column 40, lines 45-55).
In reference to Claim 2, Stopel, Nadgowda, Martin, and Nickolov further disclose that the processor is adapted to update the security vulnerability database in response to a triggering event including time interval or a request (see Stopel, paragraphs 0035, 0043).
In reference to Claim 3, Stopel, Nadgowda, Martin, and Nickolov further disclose storing the updates in the database and the updated version of the image (see Martin, section 4.1).
In reference to Claim 5, Stopel, Nadgowda, Martin, and Nickolov further disclose severity ratings that are used to automatically update the container (see Martin, section 3.4).
In reference to Claim 8, Stopel, Nadgowda, Martin, and Nickolov further disclose a user interface displaying scan results, scan histories, and vulnerability comparisons, and generating files (Stopel, paragraphs 0035, 0043-0045, and 0068; Figure 6, steps S650 through end; Nadgowda, column 4, lines 46-62; Martin, section 4.1; Nickolov, column 41, line 17-column 42, line 5).

Claims 9-11 are directed to methods corresponding to the functionality of the systems of Claims 1-3, and are rejected by a similar rationale, mutatis mutandis.
Claims 15-17 are directed to software implementations of the methods of Claims 9-11, and are rejected by a similar rationale.


Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Howard et al, US Patent 10891003, discloses methods for deploying interactive containers.
Cho, US Patent 11030022, discloses methods for instantiating interactive containers.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Zachary A Davis whose telephone number is (571)272-3870. The examiner can normally be reached Monday-Friday, 9:30am-6:00pm, Eastern Time.
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Zachary A. Davis/Primary Examiner, Art Unit 2492