SBOM Starter Kit: Get Your Copy

Compliance while using Android Open Source

Android is an open source operating system for mobile devices and a corresponding open source project led by Google.
The Android Open Source Project (AOSP) repository offers the information and source code needed to create custom variants of the Android OS, port devices and accessories to the Android platform, and ensure devices meet the compatibility requirements that keep the Android ecosystem a healthy and stable environment for millions of users.

Table of Content

Developing with AOSP

Anyone is free to contribute code and fixes to the AOSP project repository, but Google oversees its general direction and the bulk of development. The AOSP regularly incorporates the latest bug and security patches for Android.

Google makes the AOSP available to users under the Apache 2.0 Software License. This means the AOSP is free to use and alter, but users are required to generate notice files any time they make additions to the underlying code. Each library has a legal notice for distributing that library.

The Problem

AOSP generated NOTICE.html file is sometimes missing details resulting in being insufficient for license compliance. AOSP has an enormous amount of code. So it takes developers days and constant attention to this manual process . Historically, there hasn't been any way to automate this process, so companies have been forced to do this manually or risk not meeting their compliance obligations.
For many licenses, a valid interpretation is that it's insufficient to include a copy of the license, and that you need to reproduce every variant (e.g. with different copyright statements) of the license that's present in the source code.
When Google distributes AOSP, an individual library licensed under GPL will likely contain a NOTICE file with a (single) representative sample of the GPL license text. According to a lot of our customers' lawyers, however, the comments at the top of each source code file which indicate a copyright and reference GPL count as an abbreviated form of a license, therefore requiring them (the comments, not the full source files) to be included in the NOTICE file.

  • Incomplete Compliance: this creates loopholes resulting in customer non-compliance for their software licenses risking legal, reputational and financial consequences.
  • Slower pace of software releases: time taken to manually add each of these licenses slows down pace of software releases.
  • Huge code base: AOSP has an enormous amount of code base and lack of automation makes manual editing time consuming and prone to errors.

The Solution

  • Automation: FOSSA automates the process of ensuring that the notice file contains not just the package/component level licenses but all the licenses that are included in all the files in those components.
  • Full Compliance: we generate a "full" version of the NOTICE file and provide a workflow to inspect, approve and (if necessarily) manually override our generated NOTICE file.


  • Go to market faster: FOSSA scans and updates notice files in hours instead of days. Developers see a 70% reduction in time spent editing notice files.
  • Control with automation: Only FOSSA provides a workflow automation that puts the developer in control.
  • Reduce compliance risk: Confidently steer clear of reputational, financial, and legal damage with FOSSA’s solution for AOSP compliance.
  • Increase developer velocity: FOSSA accelerates engineering speed productivity by automating the time-consuming processes of augmenting the notice files.
  • Take the guesswork out of dependency identification: FOSSA parses the build system to precisely and accurately find the dependencies of a particular library.