From 44e45eaefb4e945ace34bc19e9a29cdb1b143966 Mon Sep 17 00:00:00 2001
From: Zvonimir Pavlinovic <zpavlinovic@google.com>
Date: Wed, 10 Jul 2024 14:51:54 +0000
Subject: [PATCH] cmd/govulncheck: clarify unsafe/reflection limitations

They only apply to source mode.

Change-Id: I288adf8eac2075bb32b301b4ffe668f453352a77
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/597515
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 cmd/govulncheck/doc.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cmd/govulncheck/doc.go b/cmd/govulncheck/doc.go
index e8b2fc43..4a6160ab 100644
--- a/cmd/govulncheck/doc.go
+++ b/cmd/govulncheck/doc.go
@@ -84,7 +84,8 @@ Govulncheck has these limitations:
     which may result in false positives or inaccurate call stacks in some cases.
   - Calls to functions made using package reflect are not visible to static
     analysis. Vulnerable code reachable only through those calls will not be
-    reported. Use of the unsafe package may result in false negatives.
+    reported in source scan mode. Similarly, use of the unsafe package may
+    result in false negatives.
   - Because Go binaries do not contain detailed call information, govulncheck
     cannot show the call graphs for detected vulnerabilities. It may also
     report false positives for code that is in the binary but unreachable.