From ffdef74cc44d7eb71931d8d414c478b966812488 Mon Sep 17 00:00:00 2001
From: Zvonimir Pavlinovic <zpavlinovic@google.com>
Date: Tue, 6 Aug 2024 18:52:26 +0000
Subject: [PATCH] cmd/govulncheck: add docs on detecting main module vulns

This only applies to binaries.

Change-Id: Ia499e823a08a1b039cba72d5c06b5f3b2cd2f942
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/603575
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 cmd/govulncheck/doc.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/cmd/govulncheck/doc.go b/cmd/govulncheck/doc.go
index 4a6160a..8de6904 100644
--- a/cmd/govulncheck/doc.go
+++ b/cmd/govulncheck/doc.go
@@ -50,7 +50,10 @@ with the '-mode binary' flag:
 	$ govulncheck -mode binary $HOME/go/bin/my-go-program
 
 Govulncheck uses the binary's symbol information to find mentions of vulnerable
-functions. Its output omits call stacks, which require source code analysis.
+functions. These functions can belong to binary's transitive dependencies and
+also the main module of the binary. The latter functions are checked for only
+when the precise version of the binary module is known. Govulncheck output on
+binaries omits call stacks, which require source code analysis.
 
 Govulncheck also supports '-mode extract' on a Go binary for extraction of minimal
 information needed to analyze the binary. This will produce a blob, typically much