cmd/govulncheck: add docs on detecting main module vulns

This only applies to binaries. Change-Id: Ia499e823a08a1b039cba72d5c06b5f3b2cd2f942 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/603575 Reviewed-by: Maceo Thompson <maceothompson@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
golang · Aug 7, 2024 · ffdef74 · ffdef74
1 parent 902ccc7
commit ffdef74
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/cmd/govulncheck/doc.go b/cmd/govulncheck/doc.go
@@ -50,7 +50,10 @@ with the '-mode binary' flag:
 	$ govulncheck -mode binary $HOME/go/bin/my-go-program
 
 Govulncheck uses the binary's symbol information to find mentions of vulnerable
-functions. Its output omits call stacks, which require source code analysis.
+functions. These functions can belong to binary's transitive dependencies and
+also the main module of the binary. The latter functions are checked for only
+when the precise version of the binary module is known. Govulncheck output on
+binaries omits call stacks, which require source code analysis.
 
 Govulncheck also supports '-mode extract' on a Go binary for extraction of minimal
 information needed to analyze the binary. This will produce a blob, typically much