bug: `--non-spdx` behaves differently between `list` and `check`

[domWalters]

What happened:

1. When you run grant list it returns the full list of all licenses (SPDX and non-SPDX).
2. When you run grant list --non-spdx it returns the list of all non-SPDX licenses.
3. When you run grant check it checks the SPDX licenses ONLY.
4. When you run grant check --non-spdx it checks the non-SPDX licenses ONLY.

Point 3 here is a problem. I assumed that because grant list worked on all licenses, that grant check would as well.

What you expected to happen:

I expected grant check to run on the same licenses that grant list showed me, no matter the value of non-spdx.

Steps to reproduce the issue:
Run grant on the SBOM below (note: I have removed the metadata.component field, but grant was still happy to run on this).

Syft generated SBOM

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:c1fe0b1d-c4a8-4544-812c-55894fbf1051",
  "version": 1,
  "metadata": {
    "timestamp": "2025-02-19T16:13:26Z",
    "tools": {
      "components": [
        {
          "type": "application",
          "author": "anchore",
          "name": "syft",
          "version": "1.19.0"
        }
      ]
    }
  },
  "components": [
    {
      "bom-ref": "pkg:pypi/certifi@2025.1.31?package-id=37dc1dec0f90d313",
      "type": "library",
      "author": "Kenneth Reitz <me@kennethreitz.com>",
      "name": "certifi",
      "version": "2025.1.31",
      "licenses": [
        {
          "license": {
            "id": "MPL-2.0"
          }
        }
      ],
      "cpe": "cpe:2.3:a:kennethreitz:certifi:2025.1.31:*:*:*:*:python:*:*",
      "purl": "pkg:pypi/certifi@2025.1.31",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "python-installed-package-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "python"
        },
        {
          "name": "syft:package:type",
          "value": "python"
        },
        {
          "name": "syft:package:metadataType",
          "value": "python-package"
        },
        {
          "name": "syft:location:0:path",
          "value": "/lib/python3.8/site-packages/certifi-2025.1.31.dist-info/METADATA"
        },
        {
          "name": "syft:location:1:path",
          "value": "/lib/python3.8/site-packages/certifi-2025.1.31.dist-info/RECORD"
        },
        {
          "name": "syft:location:2:path",
          "value": "/lib/python3.8/site-packages/certifi-2025.1.31.dist-info/top_level.txt"
        }
      ]
    },
    {
      "bom-ref": "pkg:pypi/chardet@3.0.4?package-id=e1e4dcc20a2c4a32",
      "type": "library",
      "author": "Daniel Blanchard <dan.blanchard@gmail.com>",
      "name": "chardet",
      "version": "3.0.4",
      "licenses": [
        {
          "license": {
            "name": "LGPL"
          }
        }
      ],
      "cpe": "cpe:2.3:a:daniel_blanchard_project:python-chardet:3.0.4:*:*:*:*:*:*:*",
      "purl": "pkg:pypi/chardet@3.0.4",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "python-installed-package-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "python"
        },
        {
          "name": "syft:package:type",
          "value": "python"
        },
        {
          "name": "syft:package:metadataType",
          "value": "python-package"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:daniel_blanchard_project:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:daniel_blanchardproject:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:daniel_blanchardproject:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchard_project:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchard_project:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchardproject:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchardproject:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:daniel_blanchard_project:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:daniel_blanchard:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:daniel_blanchard:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:daniel_blanchardproject:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchard_project:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-chardet:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-chardet:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_chardet:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_chardet:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan-blanchard:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan-blanchard:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchard:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchard:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchardproject:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:daniel_blanchard:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:chardet:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:chardet:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-chardet:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_chardet:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan-blanchard:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchard:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:chardet:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/lib/python3.8/site-packages/chardet-3.0.4.dist-info/METADATA"
        },
        {
          "name": "syft:location:1:path",
          "value": "/lib/python3.8/site-packages/chardet-3.0.4.dist-info/RECORD"
        },
        {
          "name": "syft:location:2:path",
          "value": "/lib/python3.8/site-packages/chardet-3.0.4.dist-info/top_level.txt"
        }
      ]
    },
    {
      "bom-ref": "pkg:pypi/idna@2.6?package-id=8ddf19a91f4eb133",
      "type": "library",
      "author": "Kim Davies <kim@cynosure.com.au>",
      "name": "idna",
      "version": "2.6",
      "licenses": [
        {
          "license": {
            "name": "BSD-like"
          }
        }
      ],
      "cpe": "cpe:2.3:a:kim_davies_project:python-idna:2.6:*:*:*:*:*:*:*",
      "purl": "pkg:pypi/idna@2.6",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "python-installed-package-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "python"
        },
        {
          "name": "syft:package:type",
          "value": "python"
        },
        {
          "name": "syft:package:metadataType",
          "value": "python-package"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_davies_project:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_daviesproject:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_daviesproject:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_davies_project:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_project:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_project:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-idna:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-idna:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_idna:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_idna:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_davies:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_davies:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_daviesproject:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kimproject:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kimproject:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:idna:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:idna:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_project:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-idna:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_idna:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_davies:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kimproject:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:idna:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/lib/python3.8/site-packages/idna-2.6.dist-info/METADATA"
        },
        {
          "name": "syft:location:1:path",
          "value": "/lib/python3.8/site-packages/idna-2.6.dist-info/RECORD"
        },
        {
          "name": "syft:location:2:path",
          "value": "/lib/python3.8/site-packages/idna-2.6.dist-info/top_level.txt"
        }
      ]
    },
    {
      "bom-ref": "pkg:pypi/pip@20.0.2?package-id=1e956fd99751d8fb",
      "type": "library",
      "author": "The pip developers <pypa-dev@groups.google.com>",
      "name": "pip",
      "version": "20.0.2",
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "cpe": "cpe:2.3:a:pip_developers_project:python-pip:20.0.2:*:*:*:*:*:*:*",
      "purl": "pkg:pypi/pip@20.0.2",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "python-installed-package-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "python"
        },
        {
          "name": "syft:package:type",
          "value": "python"
        },
        {
          "name": "syft:package:metadataType",
          "value": "python-package"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip_developers_project:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip_developersproject:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip_developersproject:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_dev_project:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_dev_project:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip_developers_project:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_devproject:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_devproject:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip_developers:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip_developers:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip_developersproject:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pip:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pip:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pip:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pip:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_dev_project:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa-dev:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa-dev:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_dev:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_dev:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_devproject:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip_developers:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pip:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pip:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa-dev:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_dev:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/lib/python3.8/site-packages/pip-20.0.2.dist-info/METADATA"
        },
        {
          "name": "syft:location:1:path",
          "value": "/lib/python3.8/site-packages/pip-20.0.2.dist-info/RECORD"
        },
        {
          "name": "syft:location:2:path",
          "value": "/lib/python3.8/site-packages/pip-20.0.2.dist-info/top_level.txt"
        }
      ]
    },
    {
      "bom-ref": "pkg:pypi/pkg-resources@0.0.0?package-id=ba08cb0cf64eb7b4",
      "type": "library",
      "author": "UNKNOWN <UNKNOWN>",
      "name": "pkg-resources",
      "version": "0.0.0",
      "licenses": [
        {
          "license": {
            "name": "UNKNOWN"
          }
        }
      ],
      "cpe": "cpe:2.3:a:python-pkg-resources:python-pkg-resources:0.0.0:*:*:*:*:*:*:*",
      "purl": "pkg:pypi/pkg-resources@0.0.0",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "python-installed-package-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "python"
        },
        {
          "name": "syft:package:type",
          "value": "python"
        },
        {
          "name": "syft:package:metadataType",
          "value": "python-package"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pkg-resources:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pkg_resources:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pkg_resources:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknown_project:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknown_project:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknownproject:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknownproject:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg-resources:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg-resources:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg_resources:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg_resources:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pkg-resources:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pkg-resources:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pkg_resources:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pkg_resources:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pkg:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pkg:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pkg:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pkg:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknown_project:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknown_project:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknown:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknown:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknownproject:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknownproject:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg-resources:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg-resources:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg_resources:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg_resources:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pkg:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pkg:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pkg:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pkg:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknown:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknown:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/lib/python3.8/site-packages/pkg_resources-0.0.0.dist-info/METADATA"
        },
        {
          "name": "syft:location:1:path",
          "value": "/lib/python3.8/site-packages/pkg_resources-0.0.0.dist-info/RECORD"
        }
      ]
    },
    {
      "bom-ref": "pkg:pypi/requests@2.18.4?package-id=1d449c7353690259",
      "type": "library",
      "author": "Kenneth Reitz <me@kennethreitz.org>",
      "name": "requests",
      "version": "2.18.4",
      "licenses": [
        {
          "license": {
            "name": "Apache 2.0"
          }
        }
      ],
      "cpe": "cpe:2.3:a:python:requests:2.18.4:*:*:*:*:*:*:*",
      "purl": "pkg:pypi/requests@2.18.4",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "python-installed-package-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "python"
        },
        {
          "name": "syft:package:type",
          "value": "python"
        },
        {
          "name": "syft:package:metadataType",
          "value": "python-package"
        },
        {
          "name": "syft:location:0:path",
          "value": "/lib/python3.8/site-packages/requests-2.18.4.dist-info/METADATA"
        },
        {
          "name": "syft:location:1:path",
          "value": "/lib/python3.8/site-packages/requests-2.18.4.dist-info/RECORD"
        },
        {
          "name": "syft:location:2:path",
          "value": "/lib/python3.8/site-packages/requests-2.18.4.dist-info/top_level.txt"
        }
      ]
    },
    {
      "bom-ref": "pkg:pypi/setuptools@44.0.0?package-id=c5c0f3b1788bb21b",
      "type": "library",
      "author": "Python Packaging Authority <distutils-sig@python.org>",
      "name": "setuptools",
      "version": "44.0.0",
      "licenses": [
        {
          "license": {
            "name": "UNKNOWN"
          }
        }
      ],
      "cpe": "cpe:2.3:a:python:setuptools:44.0.0:*:*:*:*:*:*:*",
      "purl": "pkg:pypi/setuptools@44.0.0",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "python-installed-package-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "python"
        },
        {
          "name": "syft:package:type",
          "value": "python"
        },
        {
          "name": "syft:package:metadataType",
          "value": "python-package"
        },
        {
          "name": "syft:location:0:path",
          "value": "/lib/python3.8/site-packages/setuptools-44.0.0.dist-info/METADATA"
        },
        {
          "name": "syft:location:1:path",
          "value": "/lib/python3.8/site-packages/setuptools-44.0.0.dist-info/RECORD"
        },
        {
          "name": "syft:location:2:path",
          "value": "/lib/python3.8/site-packages/setuptools-44.0.0.dist-info/top_level.txt"
        }
      ]
    },
    {
      "bom-ref": "pkg:pypi/urllib3@1.22?package-id=e526a4149bb4995f",
      "type": "library",
      "author": "Andrey Petrov <andrey.petrov@shazow.net>",
      "name": "urllib3",
      "version": "1.22",
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "cpe": "cpe:2.3:a:python:urllib3:1.22:*:*:*:*:*:*:*",
      "purl": "pkg:pypi/urllib3@1.22",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "python-installed-package-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "python"
        },
        {
          "name": "syft:package:type",
          "value": "python"
        },
        {
          "name": "syft:package:metadataType",
          "value": "python-package"
        },
        {
          "name": "syft:location:0:path",
          "value": "/lib/python3.8/site-packages/urllib3-1.22.dist-info/METADATA"
        },
        {
          "name": "syft:location:1:path",
          "value": "/lib/python3.8/site-packages/urllib3-1.22.dist-info/RECORD"
        },
        {
          "name": "syft:location:2:path",
          "value": "/lib/python3.8/site-packages/urllib3-1.22.dist-info/top_level.txt"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:pypi/requests@2.18.4?package-id=1d449c7353690259",
      "dependsOn": [
        "pkg:pypi/certifi@2025.1.31?package-id=37dc1dec0f90d313",
        "pkg:pypi/chardet@3.0.4?package-id=e1e4dcc20a2c4a32",
        "pkg:pypi/idna@2.6?package-id=8ddf19a91f4eb133",
        "pkg:pypi/urllib3@1.22?package-id=e526a4149bb4995f"
      ]
    },
    {
      "ref": "pkg:pypi/urllib3@1.22?package-id=e526a4149bb4995f",
      "dependsOn": [
        "pkg:pypi/certifi@2025.1.31?package-id=37dc1dec0f90d313"
      ]
    }
  ]
}

`grant` configuration file

format: table
show-packages: true
non-spdx: false
osi-approved: false
rules:
  - pattern: "Apache *"
    name: "allow-all-non-spdx-apache"
    mode: "allow"
  - pattern: "BSD-*"
    name: "allow-all-bsd"
    mode: "allow"
  - pattern: "LGPL*"
    name: "allow-all-LGPL"
    mode: "allow"
  - pattern: "MIT"
    name: "allow-mit"
    mode: "allow"
  - pattern: "MPL-*"
    name: "allow-mpl"
    mode: "allow"
  - pattern: "OpenSSL"
    name: "allow-openssl"
    mode: "allow"
  - pattern: "Zlib"
    name: "allow-zlib"
    mode: "allow"
  # Reject the rest.
  - pattern: "*"
    name: "default-deny-all"
    mode: "deny"
    reason: "All licenses need to be explicitly allowed"
    exceptions:
      - "pkg-resources"   # Inclusion of this is an Ubuntu bug
      - "setuptools"      # Setuptools is MIT, it just doesn't detect it

For completeness, this SBOM was generated using syft on a Python .venv which was created from this requirements.txt:

# Direct
requests==2.18.4

# Inherited
certifi==2025.1.31
chardet==3.0.4
idna==2.6
urllib3==1.22

Note: Yes, I'm aware these versions are ancient. This was used to demo the functionality of syft / grype / grant to senior colleagues so I can push for adoption of the whole suite of tools 😊

FYI, syft does not correctly identify the licenses of these versions of:

• requests
  • "Apache 2.0" instead of "Apache-2.0"
• chardet
  • "LGPL" instead of "LGPL-2.1-only" (I think)
• idna
  • "BSD-like" instead of "BSD-3-Clause"

But I've put that down to the licenses in those repos not being the exact SPDX license match.

requests and chardet have since changed their LICENSE text to more closely match the actual license, so I imagine those should match properly in newer versions.

Anything else we need to know?:

Environment:

• Output of grant version: 0.2.6
• OS:

NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

[spiffcs]

Thanks @domWalters! Also I appreciate the callout for the licenses not exactly matching for those packages. I'll take a look over in syft when I have a second.

I'll get this reported bug fixed asap.

Thank you for trying out the tools!

For some stuff coming down the pipe in grant please see:
#176

[domWalters]

Providing one concrete example:

This license is "Apache 2.0" for some reason, not "Apache-2.0": https://github.com/psf/requests/blob/v2.18.4/LICENSE

I didn't try with the newest requests but it looks like they changed the license since the version I'm using, so it might get the right name in the newest version:

https://github.com/psf/requests/commits/main/LICENSE

---

One final thing I noticed, that is already reported.

syft on a python project only gets licenses if you call it on a venv. Calling on the requirements.txt file isn't enough. I think this should at least be documented somewhere. The requirements.txt is listed against python in the list of stuff you can call against, but it technically doesn't give you everything at the moment.

anchore/syft#2970