I've started using syft to create SBOMs for Python projects. Many projects list their requirements unversioned in requirements.txt and syft will ignore those dependencies, but create an SBOM. The pipeline succeeds and a syntactically correct SBOM has been generated, making it easy to stop working here.

Is there something like a strict mode? That is, an unversioned dependency is not ignored, but leads to an error?

The current behaviour feels like a silent failure, which is something a security tool probably shouldn't do.

(I'm ignoring indirect dependencies here.)