Can't use syft JSON output as input

[luhring]

I'm seeing a set of related error cases when trying to have Grype read Syft's JSON output as its input (in lieu of Grype invoking Syft to catalog an image or directory).

As an initial setup, from ~/Desktop, I ran syft -o json alpine:latest > ./alpine.json. This produced a 39KB JSON file that looked like what I'd expect.

Here are the cases I tried, all of which I'd expect to result in a successful vulnerability analysis from Grype:

A) Piping to STDIN:

$ cat ./alpine.json | grype
ERROR failed to catalog: unable to process input for scanning: ''

B) Specifying an absolute path:

$ grype sbom:/Users/dan/Desktop/alpine.json
ERROR failed to catalog: unable to process input for scanning: 'sbom:/Users/dan/Desktop/alpine.json'

C) Specifying a path with tilde for the home directory:

$ grype sbom:~/Desktop/alpine.json
ERROR failed to catalog: user hinted 'sbom:' but couldn't read SBOM file: open ~/Desktop/alpine.json: no such file or directory

D) Specifying a relative path explicitly from the current directory:

$ grype sbom:./alpine.json
ERROR failed to catalog: unable to process input for scanning: 'sbom:./alpine.json'

E) Specifying a relative path implicitly from the current directory:

$ grype sbom:alpine.json
ERROR failed to catalog: could not fetch image 'sbom:alpine.json': pull failed: Error response from daemon: pull access denied for sbom, repository does not exist or may require 'docker login': denied: requested access to the resource is denied