AI-generated audit finding — this issue was opened from an automated security/correctness audit. It has not been triaged by a human yet; verify the reasoning, reproducibility, and severity before acting on it.
Medium: the plug-in writes a telemetry transcript into the generated output tree, and ProtoClean never removes it — CONFIRMED
Affected code:
Verification:
Confirmed. protoc writes the returned File into the output directory the MSBuild task points it at ($(MSBuildProjectDirectory)/generated by default). These transcripts accumulate across builds, are not added to ProtoClean, and end up in source trees. On failure paths the content can include local runtime state and inner-exception strings (Program.cs:112-117) that a user might prefer not to commit.
Impact:
- Stale
*.icerpc_build_telemetry.txt files linger in project trees.
- Accidental commit leaks compilation hashes, OS descriptions, and exception diagnostics to public repositories.
Recommendation:
- Do not emit a
CodeGeneratorResponse.File from the telemetry plug-in at all — write to stderr or a build log instead. The plug-in already has no real code-generation output.
- If a local transcript must remain as a diagnostic aid, add the pattern to
ProtoClean and mark it gitignore-worthy in templates.
Status: Valid, Medium severity.
Source report: src-IceRpc.Protobuf.BuildTelemetry-audit-2026-04-14.md (finding the plug-in writes a telemetry transcript into the generated output tree, and ProtoClean never removes it — **CONFIRMED**)
Severity (auditor-assigned): Medium
Medium: the plug-in writes a telemetry transcript into the generated output tree, and
ProtoCleannever removes it — CONFIRMEDAffected code:
CodeGeneratorResponse.Types.Filenamed<hash-prefix>.icerpc_build_telemetry.txtProtoCleandeletes*.cs,*.IceRpc.cs,*.d— no*.icerpc_build_telemetry.txtVerification:
Confirmed.
protocwrites the returnedFileinto the output directory the MSBuild task points it at ($(MSBuildProjectDirectory)/generatedby default). These transcripts accumulate across builds, are not added toProtoClean, and end up in source trees. On failure paths the content can include local runtime state and inner-exception strings (Program.cs:112-117) that a user might prefer not to commit.Impact:
*.icerpc_build_telemetry.txtfiles linger in project trees.Recommendation:
CodeGeneratorResponse.Filefrom the telemetry plug-in at all — write to stderr or a build log instead. The plug-in already has no real code-generation output.ProtoCleanand mark itgitignore-worthy in templates.Status: Valid, Medium severity.
Source report: src-IceRpc.Protobuf.BuildTelemetry-audit-2026-04-14.md (finding
the plug-in writes a telemetry transcript into the generated output tree, andProtoCleannever removes it — **CONFIRMED**)Severity (auditor-assigned): Medium