Nathan Voss

Unpack and analysis timeouts

2

Most of the plugins invoke external applications via the `execute_shell_command()` helper function. This function provides an optional parameter of `timeout`, which defaults to `None` (aka no timeout). It would be...

Files without an associated Package allowed by spec, but not supported in Document class

1

The current SPDX spec allows for Files to be included in a Document with no associated Package. This is specified at https://spdx.github.io/spdx-spec/4-file-information/ in the following section (see bullet points 1...

Multiple checksums per entity allowed by spec, but not supported by FIle and Package classes

2

The SPDX spec allows for multiple checksums to be provided for Packages and Files, but the current Package and File classes only allow a single value to be specified. See...

Multiple CWEs on a single Finding

2

Some scan types parsed by DefectDojo are able to specify multiple CWEs for a single issue/vulnerability. For example, the Snyk scan format contains a `identifiers.CWE` field that contains a list...

Additional globs for Debian cataloger

2

**What would you like to be added**: I have observed `status` files in real-world filesystems at paths that vary slightly from the set of globs currently searched for by the...

Creation PackageURL objects for invalid PURLs / Possible improper encoding of colons (":") in PURL fields

2

It is possible to create PackageURL objects that contain invalid fields, specifically by using the `PackageURL` kwarg constructor and passing in values that contain colons. Simple example: ``` >>> from...