Since Grype relies on Syft's cataloging output in order to surface matched vulnerabilities, it follows that there will be workflows where Syft's output from being run on its own should be used as input to an invocation of Grype. This will make it easier for CI pipelines to be composable and more efficient. On top of that, it will allow for us to integrate Grype into Anchore Engine.

Acceptance criteria:

1. Grype can be run such that it takes as input the unaltered output from a Syft execution.
2. When Syft output is passed into Grype, Grype doesn't execute Syft's cataloging functionality.

Steps to test:

1. Run Syft and save its output.
2. Pass this output into Grype using Grype's specified mechanism for inputting such a document.
3. Ensure that Grype is outputting vulnerability matches based on this input document.

Things that are needed for matching:

• vulnerability provider (already accounted for)
• distro
• package catalog

Important consideration...
How should the user consume this behavior? Pipe a file via STDIN? Specify a path to a file? And use a "scheme" (e.g. sbom:path/to/sbom.json)