fix: reject empty symbol table from ReadTable

[jiridanek]

https://redhat.atlassian.net/browse/RHAIENG-4982

Summary

Follow-up to #330. Add a guard in _loadGoSymbols to reject symbol tables
with zero functions.

A Go binary always has functions in its pclntab — even a trivial func main() {}
produces hundreds of runtime functions. An empty symbol table indicates the
pclntab was parsed from corrupt or unrelated data (e.g., a coincidental magic
byte match in the wrong ELF section).

Problem

Without this guard, an empty table causes isUsingCryptoModule to return
false (no functions to iterate → no crypto found), setting GoNoCrypto=true.
This silently skips all subsequent FIPS validation:

• validateGoSymbols — skipped
• validateGoCgo — skipped
• validateGoCGOInit — skipped
• validateGoStatic — skipped
• validateGoOpenssl — skipped

The binary passes check-payload with no errors and no warnings, even though
no actual validation was performed.

How we discovered this

During analysis for #329, we found that on amd64 Go 1.26 PIE binaries, the
old buggy section lookup read .data.rel.ro instead of .gopclntab. The BE
magic ff ff ff f1 matched at a coincidental offset in .data.rel.ro,
producing an empty gosym.Table (0 funcs). The scan appeared to succeed
but performed zero Go FIPS validation.

Change

if len(symtable.Funcs) == 0 {
    return types.NewValidationError(fmt.Errorf(
        "go: symbol table for %v has no functions (pclntab may be corrupt)",
        filepath.Base(path)))
}

Made with Cursor

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jiridanek
Once this PR has been reviewed and has the lgtm label, please assign rhmdnd for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@jiridanek: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[smith-xyz]

/lgtm

just doing some testing to ensure this doesn't break anything with various ocp versions