A large language model-based analysis of vulnerability discovery in windows software
References
- Cusumano M.A., Selby R.W., Microsoft Secrets: How the World's Most Powerful Software Company Creates Technology, Shapes Markets, and Manages People, Simon and Schuster, USA, 1998.
- Microsoft Documentation., Visual Basic docs: Get Started, Tutorials, Reference, https://learn.microsoft.com/en-us/dotnet/visual-basic/, Accessed: January 1, 2024.
- MacMichael D., What's New in Windows App SDK 1.6, Windows Developer Blog, https://blogs.windows.com/windowsdeveloper/2024/09/04/whats-new-in-windows-app-sdk-1-6/, Accessed: September 4, 2024.
- ComponentOne., WinUI vs WPF, WinForms, UWP, and MFC, https://developer.mescius.com/blogs/winui-vs-wpf-winforms-uwp-and-mfc, Accessed: October 3, 2023.
- Microsoft Documentation., Windows UI library (WinUI), https://learn.microsoft.com/en-us/windows/apps/winui/, Accessed: January 1, 2024.
- Microsoft Documentation., Introduction to C++/WinRT, https://learn.microsoft.com/en-us/windows/uwp/cpp-and-winrt-apis/intro-to-using-cpp-with-winrt, Accessed: November 18, 2022.
- MITRE., Common Weakness Enumeration (CWE), https://cwe.mitre.org/, Accessed: January 1, 2024.
- Microsoft., Microsoft Digital Defense Report 2024, https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/microsoft-digital-defense-report-2024, Accessed: January 1, 2024.
- CVE., .NET Framework Remote Code Execution Vulnerability (CVE-2022-41089), https://www.cvedetails.com/cve/CVE-2022-41089/, Accessed: January 1, 2022.
- Microsoft Documentation., Overview of .NET Framework, https://learn.microsoft.com/en-us/dotnet/framework/get-started/overview, Accessed: March 29, 2023.
- Di W., Lin C., Yuming Z., Baowen X., An extensive empirical study on C++ concurrency constructs, Information and Software Technology, 76, 1-18, 2016.
- Pereira J.D., Vieira M., On the use of open-source C/C++ static analysis tools in large projects, European Dependable Computing Conference (EDCC), 07-10 September 2020, Germany.
- Verdi M., Sami A., Akhondali J., Khomh F., Uddin G., Motlagh A.K., An empirical study of C/C++ vulnerabilities in crowd-sourced code examples, IEEE Transactions on Software Engineering, 48(5), 1497-1514, 2020.
- Microsoft Documentation., Build desktop Windows Apps With The Windows App SDK, https://learn.microsoft.com/en-us/windows/apps/windows-app-sdk/, Accessed: January 1, 2024.
- Chess B., Britton K., Eng C., Pugh B., Raghavan L., West J., Static analysis in motion, IEEE Security & Privacy, 10(3), 53-56, 2012.
- Ye T., Zhang L., Wang L., Li X., An empirical study on detecting and fixing buffer overflow bugs, IEEE International Conference on Software Testing, Verification and Validation (ICST), 11-15 April 2016, USA.
- Microsoft Documentation., Class Library Overview, https://learn.microsoft.com/en-us/cpp/mfc/class-library-overview?view=msvc-170, Accessed: August 3, 2021.
- Microsoft Documentation., What is Windows Forms - Windows Forms .NET, https://learn.microsoft.com/en-us/dotnet/desktop/winforms/overview/?view=netdesktop-9.0, Accessed: November 14, 2024.
- Microsoft Documentation., What is Windows Presentation Foundation (WPF) - WPF .NET, https://learn.microsoft.com/en-us/dotnet/desktop/wpf/overview/?view=netdesktop-9.0, Accessed: October 29, 2024.
- Crudu V., What are The Emerging Trends in XAML Development, https://moldstud.com/articles/p-what-are-the-emerging-trends-in-xaml-development, Accessed: September 2, 2024.
- Microsoft Documentation., What's a Universal Windows Platform (UWP) App? UWP applications https://learn.microsoft.com/en-us/windows/uwp/get-started/universal-application-platform-guide, Accessed: January 1, 2024.
- Rahman M., Beginning Microsoft Kinect for Windows SDK 2.0: Motion and Depth Sensing for Natural User Interfaces, Apress, USA, 2017.
- Lu B., Dong W., Yin L., Zhang L., Software Analysis, Testing, and Evolution, (Chapter: Evaluating and integrating diverse bug finders for effective program analysis), Lecture Notes in Computer Science, 8th International Conference on Software Analysis, Testing, and Evolution, 23-24 November 2018, China.
- Miele P., Alquwaisem M., Kim D.K., Comparative assessment of static analysis tools for software vulnerability, Journal of Computers, 13(10), 1136-1144, 2018.
- Malik A., Naveed M.S., Analysis of code vulnerabilities in repositories of GitHub and RosettaCode: A comparative study, International Journal of Information in Science and Technology, 4(2), 499-511, 2022.
- Alqaradaghi M., Kozsik T., Comprehensive evaluation of static analysis tools for their performance in finding vulnerabilities in Java code, IEEE Access, 12, 55824-55842, 2024.
- Zhang H., Wang S., Li H., Chen T.H., Hassan A.E., A study of C/C++ code weaknesses on stack overflow, IEEE Transactions on Software Engineering, 48(7), 2359-2375, 2021.
- Ning Y., Zhang Y., Ma C., Guo Z., Yu L., Empirical study of software composition analysis tools for C/C++ binary programs, IEEE Access, 12, 50418-50430, 2023.
- Arusoaie A., Ciobâca S., Craciun V., Gavrilut D., Lucanu D., A comparison of open-source static analysis tools for vulnerability detection in C/C++ code, 19th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), 21-24 September 2017, Romania.
- Zampetti F., Scalabrino S., Oliveto R., Canfora G., Penta M.D., How open source projects use static code analysis tools in continuous integration pipelines, IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), 20-21 May 2017, Argentina.
- Piran A., Chang C.P., Fard A.M., Vulnerability analysis of similar code, IEEE International Conference on Software Quality, Reliability and Security (QRS), 06-10 December 2021, China.
- Yeboah J., Popoola S., Efficacy of static analysis tools for software defect detection on open-source projects, arXiv:2405.12333, 2024.
- Klieber W., Flynn L., Evaluating Static Analysis Alerts with LLMs, https://www.sei.cmu.edu/blog/evaluating-static-analysis-alerts-with-llms/, Accessed: December 31, 2024.
- Mohajer M.M., et al., SkipAnalyzer: A tool for static code analysis with large language models, arXiv:2310.18532, 2023.
- Kharkar A., et al., Learning to reduce false positives in analytic bug detectors, arXiv:2203.09907, 2022.
- Mashhadi E., et al., An empirical study on bug severity estimation using source code metrics and static analysis, arXiv:2206.12927, 2022.
- Li F., Jiang J., Chen D., Xiong Y., LLM-based vulnerability detection at project scale: An empirical study, arXiv:2601.19239, 2026.
- Du X., et al., Reducing false positives in static bug detection with LLMs: An empirical study in industry, arXiv:2601.18844, 2026.
- Pushkar C., Kabra S., Kumar D., Challa J.S., Beyond single bugs: Benchmarking large language models for multivulnerability detection, arXiv:2512.22306, 2025.
- Park S., Ko G., Cho H., On the effectiveness of instruction-tuning local LLMs for identifying software vulnerabilities, arXiv:2512.20062, 2025.
- Saju M.H., Muhtadi M., Azim A., An empirical evaluation of LLM-based approaches for code vulnerability detection: RAG, SFT, and Dual-Agent systems, IEEE International Conference on Collaborative Advances in Software and Computing (CASCON), 10-13 November 2025, Canada.
- Cao D., Liao Y., Shang X., Realvul: Can we detect vulnerabilities in web applications with LLM?, arXiv:2410.07573, 2024.
- Sultana S., Afreen S., Eisty N.U., LLMs in code vulnerability analysis: A proof of concept, arXiv:2601.08691, 2026.
- Haurogné J., Basheer N., Islam S., Vulnerability detection using BERT based LLM model with transparency obligation practice towards trustworthy AI, Machine Learning with Applications, 18, 100598, 2024.
- Kaur A., Nayyar R., A comparative study of static code analysis tools for vulnerability detection in C/C++ and Java source code, Procedia Computer Science, 171, 2023-2029, 2020.
- Fatima A., Bibi S., Hanif R., Comparative study on static code analysis tools for C/C++, 15th International Bhurban Conference on Applied Sciences and Technology (IBCAST), 09-13 January 2018, Pakistan.
- Wheeler D.A., Flawfinder Official Website and Documentation, https://dwheeler.com/flawfinder/, Accessed: May 20, 2019.
- Cppcheck., A Tool For Static C/C++ Code Analysis, https://cppcheck.sourceforge.io/, Accessed: December 31, 2024.
- Google Code Archive., Long-term Storage For Google Code Project Hosting, https://code.google.com/archive/p/rough-auditing-tool-for-security/, Accessed: December 31, 2024.
- Fluid Attacks., Application Security Testing Solutions, https://fluidattacks.com/, Accessed: December 31, 2024.
- HCL Technologies., AppScan on Cloud, https://cloud.appscan.com/, Accessed: December 14, 2024.
- Checkmarx., Application Security Platform, https://checkmarx.com/product/application-security-platform/, Accessed: December 14, 2024.
- Veracode., Vulnerability Scanning Tools, https://www.veracode.com/security/vulnerability-scanning-tools, Accessed: December 31, 2024.
- Microsoft., Release Windows App SDK 1.6.2 (1.6.241106002), https://github.com/microsoft/WindowsAppSDK/releases/tag/v1.6.2, Accessed: November 13, 2024.
- Pakshad P., Windows App SDK Security Analysis, https://github.com/ppakshad/WindowsAppSDK-Security-Analysis.git, Accessed: December 31, 2024.
DOI: https://doi.org/10.2478/ijmce-2026-0019 | Journal eISSN: 2956-7068
Language: English
Submitted on: Mar 4, 2026
Accepted on: Apr 1, 2026
Published on: Jun 2, 2026
Published by: Harran University
In partnership with: Paradigm Publishing Services
Publication frequency: 2 issues per year
Keywords:
Related subjects:
© 2026 Puya Pakshad, Samson Quaye, Jamal Al-Karaki, Marwan Omar, Maurice E. Dawson, published by Harran University
This work is licensed under the Creative Commons Attribution 4.0 License.