DETAILED ACTION
The present application is being examined under the pre-AIA first to invent provisions.
Specification
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.
Claim Objections
A series of singular dependent claims is permissible in which a dependent claim refers to a preceding claim which, in turn, refers to another preceding claim.
A claim which depends from a dependent claim should not be separated by any claim which does not also depend from said dependent claim. It is noted that Claims 9 and 19 are separated from Claims 2 and 12 respectively by Claims 8 and 18, which do not depend directly or indirectly from Claims 2 and 12. It should be kept in mind that a dependent claim may refer to any preceding independent claim. In general, applicant's sequence will not be changed. See MPEP § 608.01(n).
Claim Rejections - 35 USC § 101
It is acknowledged that paragraph 0050 of the present specification excludes transitory signals from the definition of a “computer readable storage medium” as recited in at least independent Claim 11.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites “each layer” in line 4 and “each file” in line 5; however, there is not clear antecedent basis for these limitations because it was not previously established that the first container image includes any layers or that the layers include any files. The claim further recites “the layer” in line 7; however, it is not clear to which of the plural layers this is intended to refer, although this may be intended to refer to a respective layer. These ambiguities render the claim indefinite.
Claim 2 recites “the second container image” in lines 3, 5, and 7-8. However, it is not clear to which of the potentially plural second container images these limitations are intended to refer. The claim further recites “the layer” in line 4. It is not clear to which of the plural layers this is intended to refer, although this may be intended to refer to a respective layer.
Claim 3 recites “the file signature” in line 1 and “the file” in lines 2-3. However, because there are plural signatures and files, it is not clear to which of the signatures or files these limitations are intended to refer.
Claim 4 recites “the file” in line 1. It is not clear to which of the plural files this is intended to refer.
Claim 6 recites “the vulnerability” in lines 3 and 4. It is not clear to which of the plural vulnerabilities these limitations are intended to refer.
Claim 7 recites “an identified second container image” in lines 1-2. It is not clear whether this is intended to refer to the same identified second container image recited in Claim 5 or to a distinct image. The claim further recites “for scanning and generation of a vulnerability signature” in lines 4-5. It is not grammatically clear what this phrase is intended to modify.
Claim 9 recites “the file signature” in lines 3-4 and “the file” in line 4. However, because there are plural signatures and files, it is not clear to which of the signatures or files these limitations are intended to refer.
Claim 11 recites “each layer” in line 5 and “each file” in lines 5-6; however, there is not clear antecedent basis for these limitations because it was not previously established that the first container image includes any layers or that the layers include any files. The claim further recites “the layer” in line 8; however, it is not clear to which of the plural layers this is intended to refer, although this may be intended to refer to a respective layer. These ambiguities render the claim indefinite.
Claim 12 recites “the second container image” in lines 4, 6, and 8. However, it is not clear to which of the potentially plural second container images these limitations are intended to refer. The claim further recites “the layer” in lines 4-5. It is not clear to which of the plural layers this is intended to refer, although this may be intended to refer to a respective layer.
Claim 13 recites “the file signature” in line 1 and “the file” in lines 2-3. However, because there are plural signatures and files, it is not clear to which of the signatures or files these limitations are intended to refer.
Claim 14 recites “the file” in line 1. It is not clear to which of the plural files this is intended to refer.
Claim 16 recites “the vulnerability” in lines 3 and 5. It is not clear to which of the plural vulnerabilities these limitations are intended to refer.
Claim 17 recites “an identified second container image” in lines 1-2. It is not clear whether this is intended to refer to the same identified second container image recited in Claim 15 or to a distinct image. The claim further recites “for scanning and generation of a vulnerability signature” in lines 4-5. It is not grammatically clear what this phrase is intended to modify.
Claim 19 recites “the file signature” in line 4 and “the file” in line 5. However, because there are plural signatures and files, it is not clear to which of the signatures or files these limitations are intended to refer.
Claim 20 recites “each layer” in line 7 and “each file” in lines 7-8; however, there is not clear antecedent basis for these limitations because it was not previously established that the first container image includes any layers or that the layers include any files. The claim further recites “the layer” in line 10; however, it is not clear to which of the plural layers this is intended to refer, although this may be intended to refer to a respective layer. These ambiguities render the claim indefinite.
Claims not explicitly referred to above are rejected due to their dependence on a rejected base claim.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Stopel et al, US Patent 10223534, in view of Mcallister et al, US Patent Application Publication 2020/0082095.
In reference to Claim 1, Stopel discloses a method that includes receiving a first container image for inclusion in a registry (column 8, lines 55-65, step S610); scanning layers of the first image to generate file signatures for files referenced in the layers (layers extracted, step S630, column 9, lines 3-13; files scanned, step S650, column 9, lines 22-49); applying vulnerability signatures to each layer based on the file signatures (signature generated, S680, column 9, line 63-column 10, line 5); and accepting or denying registration of the first image in the registry based on results of the application of the signatures (column 9, lines 14-21, step S690, if safe, added to registry). However, Stopel does not explicitly disclose the use of rules.
Mcallister discloses a method that includes scanning layers of a first container image to generate file signatures for files referenced in the layers (see paragraphs 0020-0026) and applying vulnerability signatures to each layer based on the file signatures to determine if vulnerability rules are satisfied by the layers, where each signature includes rules generating from scanning and indexing layers of one or more second container images (see paragraph 0064, signatures; see also paragraphs 0047 and 0115-0116, policies and rules applied and generated). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Stopel to include the rules as taught by Mcallister, in order to allow granular classification of vulnerabilities (see Mcallister, paragraph 0116).
In reference to Claim 2, Stopel and Mcallister further disclose scanning second container images to generate file signatures and generating and storing rules for each file (see Stopel, signatures, column 9, line 63-column 10, line 5; Mcallister, paragraphs 0115-0116, rules generated).
In reference to Claims 3 and 4, Stopel and Mcallister further disclose hash values generated by hash functions applied to the files and metadata such as filename, location, permission, or size (see Stopel, column 9, line 63-column 10, line 5, hashes; see also Mcallister, paragraph 0064, hashes, and paragraph 0062, metadata).
In reference to Claims 5-7, Stopel and Mcallister further disclose determining that an identified second container image is associated with a vulnerability, which includes providing an image with a known vulnerability, and generating and storing vulnerability signatures including required and optional rule data structures (see Stopel, signatures, column 9, line 63-column 10, line 5; Mcallister, paragraphs 0115-0116, rules generated).
In reference to Claim 9, Stopel and Mcallister further disclose generating and storing a rule data structure when there is not an existing rule data structure for a file (Mcallister, paragraphs 0115-0116, rules generated).
In reference to Claim 8, Stopel and Mcallister further disclose denying registration when a layer matches a vulnerability signature and allowing registration when there is no match (see Stopel, step S690, column 9, lines 14-21).
In reference to Claim 10, Stopel and Mcallister further do not disclose installation of a package manager (noting that there is no mention in the references of a package manager that is installed, and therefore, the method is performed without such installation).
Claims 11-19 are directed to software implementations of the methods of Claims 1-9, and are rejected by a similar rationale.
Claim 20 is directed to an apparatus having functionality corresponding to the method of Claim 1, and is rejected by a similar rationale, mutatis mutandis.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Zachary A Davis whose telephone number is (571)272-3870. The examiner can normally be reached Monday-Friday, 9:00am-5:30pm, Eastern Time.
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal D Dharia can be reached at (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Zachary A. Davis/Primary Examiner, Art Unit 2492