Modules (sentry-external-modules) should not be stored client-side or feature should be optional

[G00fY2]

Problem Statement

Currently Sentry automatically generates and adds an sentry-external-modules.txt file into the assets folder on client side (was added with #2324). For large projects with many dependencies this can get quit large (couple of KB's).

This file not only exposes all dependencies and their versions in cleartext (dependencies and their packages are may obfuscated by R8), it also increases APK size, adds runtime I/O overhead by reading the file and bloats network traffic by adding this information to events.

Usually in the Gradle world (Java/Kotlin/Android) you use strictly declared dependency versions. Therefore developers always know their dependencies and the associated version number. So I don't even see the point of this feature.

Dependencies are bound to an release and should therefore be handled like e.g. Proguard/R8 mapping files. Please consider uploading this file alongside with mapping files to the Sentry servers and remove the client-side modules file.

Also please provide an option to completely disable this feature, since not every project benefits from it but has to deal with the mentioned drawbacks.

Solution Brainstorm

No response

[adinauer]

Hello @G00fY2 we've had a community PR that adds a sendModules option to disable sending of modules. While that doesn't cover the part where we add a plain text list of dependencies it at least reduces the event size.

This new option will be part of the next release.

We'll discuss another option for opting out of collection in the Gradle plugin. Will probably move this issue to another repo.

See @romtsn below. The option is already there (includeDependenciesReport).

[G00fY2]

@adinauer Thanks for your answer. So using this new sendModules option alongside with an exclusion rule for the txt file should work out for us.

Maybe still an valid FR to upload the modules file via the Gradle Plugin instead of adding it to the assets.

[romtsn]

You can already disable it in the gradle plugin https://docs.sentry.io/platforms/android/configuration/gradle/#configure, see the includeDependenciesReport option.

The idea of uploading it at build time is nice, but I'm not sure it's worth the effort from our side. As you mentioned, you can figure out the versions from the archive release version, so it's just a convenient feature to not spend time looking up specific dependency versions by git tag. I'm not sure if this convenience is justified to touch so many parts required for build-time uploading.

[G00fY2]

@romtsn thanks for pointing out. Looks like I missed some parts of the documentation, sorry.

[romtsn]

@G00fY2 no worries, thanks for the suggestions! I'm gonna close this issue, as the option already exists, and I don't see us doing the build-time upload since the feature is not one of the core flows, but just a convenient addition. We'll keep that in mind though, just in case.

[leo-beliakov]

@romtsn Is there an alternative for manual setup? Is it possible to disable dependency report via Sentry.init { ... } ?

[romtsn]

@leo-beliakov you can do that, but the dependencies txt file will still be packaged within your apk, but just not sent, so not sure if it's worth it. What's the reason you can't configure the gradle plugin?

Otherwise you can do it as follows:

SentryAndroid.init(context) { options ->
  options.isSendModules = false
}