At the moment the implementation grabs the packages with incorrect permissions, ownership, or group membership, and then checks to see if it's within an allowlist or not. It then prints any that are not in the allowlist as a single failing test. It also makes the assumption that packages can't have spaces in them.

My read of the requirements say that you need to individually validate the permissions, ownership, and group membership of every file within said packages, and fail out per each of those files. Furthermore, you can only get exceptions for ownership and group membership but not the permissions, which is what the variable name says (the comment associated with the variable is incorrectly looser by allowing exceptions to the verification stuff in general).