That fire is theoretical
Seems like they are simply looking to avoid false positives, so that devs don't need to chase those down.
This is a sound approach :
"Govulncheck analyzes your codebase and only surfaces vulnerabilities that actually affect you, based on which functions in your code are transitively calling vulnerable functions ... "
Biting the hand that feeds IT
