Analyzing the Android Open Source Project
Integrate FOSSA with Android Open Source Project builds and custom Android distributions.
Enterprise feature
This functionality is gated behind a feature flag and may not be enabled for your organization by default. Reach out to your account team to request access.
Overview
Android Open Source Project (AOSP) is used to make custom Android operating system distributions. This document describes how to analyze AOSP distributions for licenses using FOSSA. It does not describe how to analyze AOSP distributions for dependencies and security vulnerabilities.
This FOSSA project shows the result of analyzing unmodified and unbuilt AOSP.
Requirements
In our testing, we have been able to analyze unmodified AOSP sources for licenses in about 2 hours and 30 minutes with 32 CPU cores and 64 GB of memory (m5a.8xlarge EC2 instance), with a peak system memory usage of 54 GB.
This is in line with the hardware requirements to build AOSP suggested by Google.
Analyzing AOSP
Create the following fossa-deps.yml file in the AOSP root:
vendored-dependencies:- name: aosp-bionic path: bionic version: master- name: aosp-cts path: cts version: master- name: aosp-developers path: developers version: master- name: aosp-device path: device version: master- name: aosp-hardware path: hardware version: master- name: aosp-libcore path: libcore version: master- name: aosp-packages path: packages version: master- name: aosp-platform_testing path: platform_testing version: master- name: aosp-sdk path: sdk version: master- name: aosp-test path: test version: master- name: aosp-tools path: tools version: master- name: aosp-art path: art version: master- name: aosp-bootable path: bootable version: master- name: aosp-dalvik path: dalvik version: master- name: aosp-development path: development version: master- name: aosp-external path: external version: master- name: aosp-frameworks path: frameworks version: master- name: aosp-kernel path: kernel version: master- name: aosp-libnativehelper path: libnativehelper version: master- name: aosp-pdk path: pdk version: master- name: aosp-prebuilts path: prebuilts version: master- name: aosp-system path: system version: master- name: aosp-toolchain path: toolchain version: masterCreate this .fossa.yml configuration file in the same directory:
version: 3 targets: excludeManifestStrategies: trueThen, run fossa analyze in the same directory.
If you cannot create or modify a .fossa.yml configuration file, you can achieve the same result with this command:
fossa analyze --exclude-manifest-strategiesExplanation
The directories listed in fossa-deps.yml were selected from unmodified and unbuilt AOSP. If you need to analyze a different set of directories, you should modify this file accordingly.
version is actually an optional field when defining vendored dependencies in fossa-deps.yml. However, omitting this field causes the FOSSA CLI to compress each vendored directory to calculate a hash to use as a placeholder version. AOSP directory trees are too transitive for zip files, so we manually define a dummy version to avoid having to compress each subdirectory.
Running fossa analyze without any other flags or configuration files causes all analysis strategies to be executed, which requires significantly more resources. This is likely to fail or take an excessive amount of time due to the size and number of subprojects discovered in the AOSP source tree. The flag --exclude-manifest-strategies is set to avoid the use of such strategies and to only look at the dependencies in fossa-deps.yml.