I’m running into have a very similar issue. Also VSTS and also a null crash when analyzing vulnerabilities. I’ve worked around it by disabling the crashing analyzer (S2631) until the issue gets resolved. You could try the same, the crashing one appears to be S3649; remove it from your custom ruleset.