cmd/govulncheck: add docs on detecting main module vulns

This only applies to binaries.

Change-Id: Ia499e823a08a1b039cba72d5c06b5f3b2cd2f942
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/603575
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/cmd/govulncheck/doc.go b/cmd/govulncheck/doc.go
index 4a6160a..8de6904 100644
--- a/cmd/govulncheck/doc.go
+++ b/cmd/govulncheck/doc.go
@@ -50,7 +50,10 @@
 	$ govulncheck -mode binary $HOME/go/bin/my-go-program
 
 Govulncheck uses the binary's symbol information to find mentions of vulnerable
-functions. Its output omits call stacks, which require source code analysis.
+functions. These functions can belong to binary's transitive dependencies and
+also the main module of the binary. The latter functions are checked for only
+when the precise version of the binary module is known. Govulncheck output on
+binaries omits call stacks, which require source code analysis.
 
 Govulncheck also supports '-mode extract' on a Go binary for extraction of minimal
 information needed to analyze the binary. This will produce a blob, typically much