Analyzing the Android Open Source Project

Integrate FOSSA with Android Open Source Project builds and custom Android distributions.

3 min readUpdated Jul 9, 2026

Enterprise feature

This functionality is gated behind a feature flag and may not be enabled for your organization by default. Reach out to your account team to request access.

Overview

Android Open Source Project (AOSP) is used to make custom Android operating system distributions. This document describes how to analyze AOSP distributions for licenses using FOSSA. It does not describe how to analyze AOSP distributions for dependencies and security vulnerabilities.

This FOSSA project shows the result of analyzing unmodified and unbuilt AOSP.

Requirements

In our testing, we have been able to analyze unmodified AOSP sources for licenses in about 2 hours and 30 minutes with 32 CPU cores and 64 GB of memory (m5a.8xlarge EC2 instance), with a peak system memory usage of 54 GB.

This is in line with the hardware requirements to build AOSP suggested by Google.

Analyzing AOSP

Create the following fossa-deps.yml file in the AOSP root:

YAML
vendored-dependencies:- name: aosp-bionic  path: bionic  version: master- name: aosp-cts  path: cts  version: master- name: aosp-developers  path: developers  version: master- name: aosp-device  path: device  version: master- name: aosp-hardware  path: hardware  version: master- name: aosp-libcore  path: libcore  version: master- name: aosp-packages  path: packages  version: master- name: aosp-platform_testing  path: platform_testing  version: master- name: aosp-sdk  path: sdk  version: master- name: aosp-test  path: test  version: master- name: aosp-tools  path: tools  version: master- name: aosp-art  path: art  version: master- name: aosp-bootable  path: bootable  version: master- name: aosp-dalvik  path: dalvik  version: master- name: aosp-development  path: development  version: master- name: aosp-external  path: external  version: master- name: aosp-frameworks  path: frameworks  version: master- name: aosp-kernel  path: kernel  version: master- name: aosp-libnativehelper  path: libnativehelper  version: master- name: aosp-pdk  path: pdk  version: master- name: aosp-prebuilts  path: prebuilts  version: master- name: aosp-system  path: system  version: master- name: aosp-toolchain  path: toolchain  version: master

Create this .fossa.yml configuration file in the same directory:

YAML
version: 3 targets:  excludeManifestStrategies: true

Then, run fossa analyze in the same directory.

If you cannot create or modify a .fossa.yml configuration file, you can achieve the same result with this command:

Shell
fossa analyze --exclude-manifest-strategies

Explanation

The directories listed in fossa-deps.yml were selected from unmodified and unbuilt AOSP. If you need to analyze a different set of directories, you should modify this file accordingly.

version is actually an optional field when defining vendored dependencies in fossa-deps.yml. However, omitting this field causes the FOSSA CLI to compress each vendored directory to calculate a hash to use as a placeholder version. AOSP directory trees are too transitive for zip files, so we manually define a dummy version to avoid having to compress each subdirectory.

Running fossa analyze without any other flags or configuration files causes all analysis strategies to be executed, which requires significantly more resources. This is likely to fail or take an excessive amount of time due to the size and number of subprojects discovered in the AOSP source tree. The flag --exclude-manifest-strategies is set to avoid the use of such strategies and to only look at the dependencies in fossa-deps.yml.

© 2026 FOSSA, Inc.support@fossa.com