Static Analysis of Visual Basic .NET Language
https://doi.org/10.15514/ISPRAS-2025-37(6)-18
Abstract
The paper presents the implementation of static analysis for the Visual Basic .NET language within the industrial tool SharpChecker. Using the Roslyn compiler framework, support for the Visual Basic .NET language was integrated into SharpChecker, enabling static analysis of Visual Basic .NET source code. As part of this work, a representative set of synthetic tests was created, comprising over 2000 test cases. Testing was conducted both on this synthetic dataset and on a collection of real-world open-source projects totaling more than 1.6 million lines of code. A total of 7926 new warnings were detected in Visual Basic .NET source code, of which 1093 were manually reviewed and labeled. The final analysis accuracy reached 84.72%. Additionally, warnings related to code written in both C# and Visual Basic .NET were discovered, demonstrating the feasibility of cross-language analysis in projects that include both .NET platform languages. It was also found that adding Visual Basic .NET language support to SharpChecker had no impact on the performance or the quality of analysis for the C# language.
About the Authors
Karcev Vadim KARCEV
Ivannikov Institute for System Programming of the Russian Academy of Sciences,
Departament of Radio Engineering and Cybernetics MIPT
Russian Federation
Russian Federation
Postgraduate student of the Phystech School of Radio Engineering and Computer Technologies of MIPT, employee of the ISP RAS. Research interests: compiler technologies, static program analysis, static symbolic execution, searching for defects in source code.
Valery Nikolaevich IGNATIEV
Ivannikov Institute for System Programming of the Russian Academy of Sciences,
CMC Faculty Lomonosov State University,
Russian Federation
Russian Federation
Cand. Sci. (Phys.-Math.), Senior Researcher at the ISP RAS, Associate Professor at the Department of System Programming at the Faculty of Computational Mathematics and Cybernetics at Moscow State University. Research interests include methods for finding errors in software source code based on static analysis.
References
1. Википедия. Visual Basic – Википедия, свободная энциклопедия, 2025. URL: https://ru.wikipedia.org/?curid=7394&oldid=143772950. [online; accessed 14.04.2025].
2. TIOBE Index for ranking the popularity of Programming languages, 2025. URL: https://www.tiobe.com/tiobe-index. [online; accessed 15.05.2025].
3. Википедия. Visual Basic .NET – Википедия, свободная энциклопедия, 2024. URL: https://ru.wikipedia.org/?curid=17042&oldid=140564863. [online; accessed 14.04.2025].
4. dotnet/roslyn: The Roslyn .NET compiler provides C# and Visual Basic languages with rich code analysis APIs. URL: https://github.com/dotnet/roslyn. [online; accessed 15.05.2025].
5. ГОСТ Р 56939-2024. Защита информации. Разработка безопасного программного обеспечения. Общие требования. 2024. URL: https://protect.gost.ru/document1.aspx?control=31&id=263523. [online; accessed 15.05.2025].
6. В. С. Карцев, В. Н. Игнатьев. Поддержка Visual Basic. NET в статическом анализаторе SharpChecker. Труды ИСП РАН, том 36, вып. 3, 2024 г., стр. 49–62. DOI: 10.15514/ISPRAS-2024-36(3)-4. / Karcev V.S., Ignatiev V.N. Support of Visual Basic .NET in SharpChecker Static Analyzer. Trudy ISP RAN/Proc. ISP RAS, 2024; vol. 36, issue 3, pp. 49-62 (in Russian). DOI: 10.15514/ISPRAS-2024-36(3)-4.
7. V. K. Koshelev, V. N. Ignatiev, A. I. Borzilov, A. A. Belevantsev. SharpChecker: Static analysis tool for C# programs. Programming and Computer Software, 43(4):268–276, 2017.
8. М. В. Беляев, Н. В. Шимчик, В. Н. Игнатьев, А. А. Белеванцев. Сравнительный анализ двух подходов к статическому анализу помеченных данных. Труды ИСП РАН, том 29, вып. 3, 2017 г., стр. 99–116. DOI: 10.15514/ISPRAS-2017-29(3)-7. / Belyaev M.V., Shimchik N.V., Ignatyev V.N., Belevantsev A.A. Comparative analysis of two approaches to the static taint analysis. Trudy ISP RAN/Proc. ISP RAS, 2017, vol. 29, issue 3, pp. 99-116 (in Russian). DOI: 10.15514/ISPRAS-2017-29(3) 7.
9. А. А. Белеванцев, Е. А. Велесевич. Анализ сущностей программ на языках Си/Си++ и связей между ними для понимания программ. Труды ИСП РАН, том 27, вып. 2, 2015 г., стр. 53–64. DOI: 10.15514/ISPRAS-2015-27(2)-4. / Belevantsev A., Velesevich E. Analyzing C/C++ code entities and relations for program understanding. Trudy ISP RAN/Proc. ISP RAS, 2015, vol. 27, issue 2, pp. 53–64. DOI: 10.15514/ISPRAS-2015-27(2)-4.
10. U. V. Tsiazhkorob, V. N. Ignatyev. Classification of Static Analyzer Warnings using Machine Learning Methods. 2024 Ivannikov Memorial Workshop (IVMEM):69–74, 2024. DOI: 10.1109/IVMEM63006.2024.10659704.
11. В. С. Карцев, В. Н. Игнатьев. Повышение точности статического анализа за счет учета значений полей класса, имеющих единственное константное значение. Труды ИСП РАН, том 34, вып. 6, 2022 г., стр. 29–40. DOI: 10.15514/ISPRAS-2022-34(6)-2. / Karcev V.S., Ignatiev V.N. Improving the accuracy of static analysis by accounting for the values of class fields that can have only one constant value. Trudy ISP RAN/Proc. ISP RAS, 2022, vol. 34, issue 6, pp. 29-40. DOI: 10.15514/ISPRAS-2022-34(6)-2.
12. Wikipedia contributors. List of tools for static code analysis – Wikipedia, The Free Encyclopedia, 2024. URL: https://en.wikipedia.org/w/index.php?title=List_of_tools_for_static_code_analysis&oldid=1218561224. [online; accessed 15.05.2025].
13. W. Wei, M. Yunxiu, H. Lilong, B. He. From source code analysis to static software testing. In 2014 IEEE Workshop on Advanced Research and Technology in Industry Applications (WARTIA), 1280–1283. IEEE, 2014.
14. E. Firouzi, A. Sami. Visual Studio Automated Refactoring Tool Should Improve Development Time, but ReSharper Led to More Solution-Build Failures. В 2019 IEEE Workshop on Mining and Analyzing Interaction Histories (MAINT), 2–6. IEEE, 2019.
15. ReSharper Features, 2025. URL: https://www.jetbrains.com/ru-ru/resharper/features/. [online; accessed 15.05.2025].
16. V. Lenarduzzi, F. Lomio, H. Huttunen, D. Taibi. Are SonarQube Rules Inducing Bugs? В 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER), 501–511. IEEE, 2020.
17. G. A. Campbell, P. P. Papapetrou. SonarQube in action. Manning Publications Co., 2013.
18. VB.NET static code analysis | SonarQube, 2025. URL: https://rules.sonarsource.com/vbnet/. [online; accessed 15.05.2025].
19. Common Vulnerabilities | Kiuwan, 2025. URL: https://www.kiuwan.com/common-vulnerabilities/. [online; accessed 15.05.2025].
20. IOperation Interface (Microsoft.CodeAnalysis) | Microsoft Learn. URL: https://learn.microsoft.com/en-us/dotnet/api/microsoft.codeanalysis.ioperation?view=roslyn-dotnet-4.13.0. [online; accessed 19.05.2025].
21. R. Baldoni, E. Coppa, D. C. D’elia, C. Demetrescu, I. Finocchi. A Survey of Symbolic Execution Techniques. ACM Comput. Surv., 51(3), 2018. DOI: 10.1145/3182657.
22. Кошелев В.К., Игнатьев В.Н., Борзилов А.И. Инфраструктура статического анализа программ на языке C#. Труды ИСП РАН, том 28, вып. 1, 2016 г., стр. 21–40, DOI: 10.15514/ISPRAS-2016-28(1)-2. / Koshelev V., Ignatyev V., Borzilov A. C# static analysis framework. Trudy ISP RAN/Proc. ISP RAS, 2016, vol. 28, issue 1, pp. 21-40 (in Russian). DOI: 0.15514/ISPRAS-2016-28(1)-2.
23. EVE Isk per Hour. URL: https://eveiph.github.io/. [online; accessed 15.04.2025].
Review
For citations:
KARCEV K.V., IGNATIEV V.N. Static Analysis of Visual Basic .NET Language. Proceedings of the Institute for System Programming of the RAS (Proceedings of ISP RAS). 2025;37(6):37-52. (In Russ.) https://doi.org/10.15514/ISPRAS-2025-37(6)-18
Email this article 