Support policy decisions from multiple attestations

[arewm]

From Tekton/Konflux, I would like to be able to minimize the time that it takes for a build PipelineRun to be completed. This means that I would like to move some of the tests and required tasks to a separate pipeline. If I report the IMAGE_URL and IMAGE_DIGEST as results for the second Pipeline, Chains will create an attestation on the same artifact.

When verifying this artifact with Conforma, however, the policies are applied to each provenance in the JSON stream instead of on the union of the provenance artifacts. This results in situations where the checks on required tasks are reporting as a warning and an error.

Ideally, Conforma policy evaluations would be able to de-duplicate results as well in case some of the PipelineRuns are rerun producing duplicate attestations. This could potentially be deferred to a later issue.

[lcarva]

See report.json for an example of what this looks like.

Seeing a warning and a violation for the same required task indicates that conforma is looking for the presence of required tasks in both attestations.

[lcarva]

Oh! This may have something to do with the second attestation only including the Image Index in the list of subjects:

# First SLSA Provenance
[
  {
    "name": "quay.io/redhat-user-workloads/amcnamar-tenant/festoji/festoji",
    "digest": {
      "sha256": "c7df54d44eabdf833fbfee24b5a22f619c96e85b8b1e93a317b590a7297a08c9"
    }
  },
  {
    "name": "quay.io/redhat-user-workloads/amcnamar-tenant/festoji/festoji",
    "digest": {
      "sha256": "0292287b30d647ba75d8501cbeab9299e7309af77df83fbdd9bd7a4d9c4dda64"
    }
  }
]

# Second SLSA Proveance
[
  {
    "name": "quay.io/redhat-user-workloads/amcnamar-tenant/festoji/festoji",
    "digest": {
      "sha256": "0292287b30d647ba75d8501cbeab9299e7309af77df83fbdd9bd7a4d9c4dda64"
    }
  }
]