3 files changed, 39 insertions, 7 deletions

diff --git a/src/cmd/go/internal/vet/vet.go b/src/cmd/go/internal/vet/vet.go
index 327b761c3c..660a739fbb 100644
--- a/src/cmd/go/internal/vet/vet.go
+++ b/src/cmd/go/internal/vet/vet.go
@@ -51,6 +51,7 @@ func runVet(cmd *base.Command, args []string) {
 
 	work.BuildInit()
 	work.VetFlags = vetFlags
+	work.VetExplicit = true
 	if vetTool != "" {
 		var err error
 		work.VetTool, err = filepath.Abs(vetTool)
diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
index d0f07dec43..1bba3a5329 100644
--- a/src/cmd/go/internal/work/exec.go
+++ b/src/cmd/go/internal/work/exec.go
@@ -1036,7 +1036,7 @@ func (b *Builder) vet(a *Action) error {
 		// There's too much unsafe.Pointer code
 		// that vet doesn't like in low-level packages
 		// like runtime, sync, and reflect.
-		vetFlags = append(vetFlags, string("-unsafeptr=false"))
+		vetFlags = []string{"-unsafeptr=false"}
 	}
 
 	// Note: We could decide that vet should compute export data for
@@ -1774,6 +1774,11 @@ func (b *Builder) fmtcmd(dir string, format string, args ...interface{}) string
 	}
 	if b.WorkDir != "" {
 		cmd = strings.ReplaceAll(cmd, b.WorkDir, "$WORK")
+		escaped := strconv.Quote(b.WorkDir)
+		escaped = escaped[1 : len(escaped)-1] // strip quote characters
+		if escaped != b.WorkDir {
+			cmd = strings.ReplaceAll(cmd, escaped, "$WORK")
+		}
 	}
 	return cmd
 }
diff --git a/src/cmd/go/testdata/script/vet_flags.txt b/src/cmd/go/testdata/script/vet_flags.txt
index d84c8a6472..6aa1413fa4 100644
--- a/src/cmd/go/testdata/script/vet_flags.txt
+++ b/src/cmd/go/testdata/script/vet_flags.txt
@@ -1,8 +1,34 @@
-env GO111MODULE=off
+env GO111MODULE=on
 
-# Issue 35837. Verify that "go vet -<analyzer> <std package>" works if 'pwd' is not $GOROOT/src
-# we utilize the package runtime/testdata/testprog as the issue is specific to vetting standard package
-
-go vet -n -unreachable=false runtime/testdata/testprog
+# Regression test for issue 35837: "go vet -<analyzer> <std package>"
+# did not apply the requested analyzer.
+go vet -n -unreachable=false encoding/binary
 stderr '-unreachable=false'
-stderr '-unsafeptr=false'
+! stderr '-unsafeptr=false'
+
+[short] stop
+env GOCACHE=$WORK/gocache
+env GOTMPDIR=$WORK/tmp
+go env GOTMPDIR
+stdout '/tmp'
+
+# "go test" on a user package should by default enable an explicit whitelist of analyzers.
+go test -x -run=none .
+stderr '[/\\]vet'$GOEXE'["]? .* -errorsas .* ["]?\$WORK[/\\][^ ]*[/\\]vet\.cfg'
+
+# "go test" on a standard package should by default disable an explicit blacklist.
+go test -x -run=none encoding/binary
+stderr '[/\\]vet'$GOEXE'["]? -unsafeptr=false ["]?\$WORK[/\\][^ ]*[/\\]vet\.cfg'
+
+# Both should allow users to override via the -vet flag.
+go test -x -vet=unreachable -run=none .
+stderr '[/\\]vet'$GOEXE'["]? -unreachable ["]?\$WORK[/\\][^ ]*[/\\]vet\.cfg'
+go test -x -vet=unreachable -run=none encoding/binary
+stderr '[/\\]vet'$GOEXE'["]? -unreachable ["]?\$WORK[/\\][^ ]*[/\\]vet\.cfg'
+
+-- go.mod --
+module example.com/x
+-- x.go --
+package x
+-- x_test.go --
+package x