A reference to Nothing should never be dereferenced/accessed. Doing so will cause a NullReferenceException to be thrown. At best, such an exception will cause abrupt program termination. At worst, it could expose debugging information that would be useful to an attacker, or it could allow an attacker to bypass security measures.

Noncompliant Code Example

Public Sub Method()
    Dim O As Object = Nothing
    Console.WriteLine(O.ToString)   ' Noncompliant, always Nothing
End Sub

Compliant Solution

Public Sub Method()
    Dim O As New Object
    Console.WriteLine(O.ToString)
End Sub

Exceptions

Calls to extension methods are not reported because they can still operate on Nothing values.

To create a custom null validation method declare an attribute with name ValidatedNotNullAttribute and mark the parameter that is validated for null in your method declaration with it:

Public NotInheritable Class ValidatedNotNullAttribute
    Inherits Attribute

End Class

Public Module Guard

    Public Sub CheckNotNull(Of T)(<ValidatedNotNull> Value As T, Name As String)
        If Value Is Nothing Then Throw New ArgumentNullException(Name)
    End Sub

End Module

Public Class Sample

    Public Sub Log(Value As Object)
        CheckNotNull(Value, NameOf(Value))
        If Value Is Nothing Then
            Console.WriteLine(Value.ToString)  ' Compliant, this code is not reachable
        End If
    End Sub

End Class

See

• MITRE, CWE-476 - NULL Pointer Dereference