Wrong subjects returned when storing in grafeas

[renzodavid9]

Expected Behavior

The subjects used to calculate grafeas occurrences should be calculated according to the formatter version used. The way v2alpha3 and v1 calculate subjects is different from the way v2alpha4 does it.

Actual Behavior

When using grafeas as a backend, and payload formatter v2alpha4, the subjects from the provenance, used to calculate occurrences, are not right, the subjects are calculated using the same logic all the time, without considering the formatter version:

chains/pkg/chains/storage/grafeas/grafeas.go

Line 256 in badc734

allURIs := extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled)

Steps to Reproduce the Problem

1. Configure grafeas backend
2. Using this workflow:

apiVersion: tekton.dev/v1alpha1
kind: StepAction
metadata:
  name: stepaction
spec:
  results:
    - name: art1-ARTIFACT_OUTPUTS
      type: object
      properties:
        uri: {}
        digest: {}
        isBuildArtifact: {}
    - name: art1-other-ARTIFACT_OUTPUTS
      type: object
      properties:
        uri: {}
        digest: {}
        isBuildArtifact: {}
  image: bash:latest
  script: |
    echo -n "{\"uri\":\"gcr.io/foo/img02\", \"digest\":\"sha256:f7b93fed74352c53e7fd82f1e890723f04a963fcd344c65855c57a1972fbe02d\", \"isBuildArtifact\": \"true\"}" > $(step.results.art1-ARTIFACT_OUTPUTS.path)
    echo -n "{\"uri\":\"gcr.io/foo/img03\", \"digest\":\"sha256:fc1f2bab34c4cc65abcdcafd34835f1928663458340bca0e9d61eee39efb4842\", \"isBuildArtifact\": \"true\"}" > $(step.results.art1-other-ARTIFACT_OUTPUTS.path)
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: task1
spec: 
  results:
    - name: art2-ARTIFACT_OUTPUTS
      type: object
      properties:
        uri: {}
        digest: {}
        isBuildArtifact: {}

  steps:
    - name: step
      ref:
        name: stepaction

    - image: bash:latest
      script: |
        echo -n "{\"uri\":\"gcr.io/foo/img05\", \"digest\":\"sha256:21ff370d4db229a025067f52f87ac9c1bead8cd1068b72febadfa3e45f377101\", \"isBuildArtifact\": \"true\"}" > $(results.art2-ARTIFACT_OUTPUTS.path)
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
  name: pipeline
spec:
  results:
    - name: art4-ARTIFACT_OUTPUTS
      value: $(tasks.task2.results.art3-ARTIFACT_OUTPUTS)
  tasks:
    - name: task1
      taskRef:
        name: task1

    - name: task2
      taskSpec:
        results:
          - name: art3-ARTIFACT_OUTPUTS
            type: object
            properties:
              uri: {}
              digest: {}

        steps:
          - name: step
            ref:
              name: stepaction

          - image: bash:latest
            script: |
              echo -n "{\"uri\":\"gcr.io/foo/img02\", \"digest\":\"sha256:f7b93fed74352c53e7fd82f1e890723f04a963fcd344c65855c57a1972fbe02d\"}" > $(results.art3-ARTIFACT_OUTPUTS.path)
---
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  name: pipeline-run
spec:
  pipelineRef:
    name: pipeline

4. After generating the attestation you will see in the deployment/tekton-chains-controller logs that only 3 occurrences were uploaded, it should be 4.