Scan of facebook/folly returns an incorrect Declared holder

[DennisClark]

A recent scan of filename folly-2022.06.27.00.tar.gz purl pkg:github/facebook/[email protected] from https://github.com/facebook/folly/archive/refs/tags/v2022.06.27.00.tar.gz

returns a Declared holder = Google rather than the more obvious Facebook or Meta. Very surprising. I took a look at the Project web site https://github.com/facebook/folly and noticed that it contains a reference to https://groups.google.com/forum/?fromgroups#!forum/facebook-folly so that provides a clue to the problem, since I don't see any reference to Google elsewhere. Since Google groups are fairly popular, this is probably worth investigating as a pattern that is likely repeated in other projects.

Scan results attached.

folly-2022.06.27.00.tar.gz_scan.json.zip

[JonoYang]

@DennisClark

The declared holder is Google because the summary plugin only considers detected holders from key files. The LICENSE file has a Google copyright statement at the end of it. The other key file README.md has no copyright statements detected. Ignoring the key files, Meta is the most detected holder in the codebase. I'll have to revisit considering using the majority holder as the declared holder, even though that doesn't work in all cases.

[DennisClark]

@JonoYang Thanks very much for the analyais and explanation I did not see the Google copyright at the end of the LICENSE file, and it makes sense that it was chosen as the Holder. It sounds like this one should be approached cautiously, so probably best not to change anything right away