False positives documentation

[ivansaurio]

vuln_id's depend on the full path of the sink file, therefore scanning the same source code in two different locations will produce different id's. This could be more explicit in FALSE_POSITIVES.md

There is also a bug with using non-normalized paths when invoking progpilot. For example ./progpilot.phar /tmp/myproject will generate a vuln_id from $a$_GET-/tmp/myproject/test.php$a-eval-test.php. Running ./progpilot.phar /tmp/myproject// will generate a vuln_id from $a$_GET-/tmp/myproject/test.php$a-eval-st.php, removing some characters from the start of the path. This happens because inside MyFile->__construct(), $fullPathFileName is normalized buth $basedir is not. Running realpath() on $basedir fixes the issue but might be a breaking change for some users. This should be documented