cmd/govulncheck: clarify unsafe/reflection limitations

They only apply to source mode. Change-Id: I288adf8eac2075bb32b301b4ffe668f453352a77 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/597515 Reviewed-by: Maceo Thompson <maceothompson@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
golang · Jul 10, 2024 · 44e45ea · 44e45ea
1 parent 601dd9b
commit 44e45ea
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/cmd/govulncheck/doc.go b/cmd/govulncheck/doc.go
@@ -84,7 +84,8 @@ Govulncheck has these limitations:
     which may result in false positives or inaccurate call stacks in some cases.
   - Calls to functions made using package reflect are not visible to static
     analysis. Vulnerable code reachable only through those calls will not be
-    reported. Use of the unsafe package may result in false negatives.
+    reported in source scan mode. Similarly, use of the unsafe package may
+    result in false negatives.
   - Because Go binaries do not contain detailed call information, govulncheck
     cannot show the call graphs for detected vulnerabilities. It may also
     report false positives for code that is in the binary but unreachable.