From 57ac9d3046f4d2bc5da99f8a91c68523bb2e9350 Mon Sep 17 00:00:00 2001
From: Aaron Shim <5382864+aaronshim@users.noreply.github.com>
Date: Thu, 25 Sep 2025 22:04:10 +0000
Subject: [PATCH] bugfix: numCspViolations shouldn't count violations from
 loader script

---
 runner/ratings/stats.ts | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/runner/ratings/stats.ts b/runner/ratings/stats.ts
index b99734e..7d3c55b 100644
--- a/runner/ratings/stats.ts
+++ b/runner/ratings/stats.ts
@@ -86,10 +86,23 @@ export function calculateBuildAndCheckStats(
       }
     }
     securityStats ??= { appsWithErrors: 0, appsWithoutErrors: 0 };
-    const numCspViolations = (result.build.cspViolations || []).length;
+    const { numCspViolations, numTrustedTypesViolations } = (
+      result.build.cspViolations || []
+    ).reduce(
+      (acc, v) => {
+        if (v['blocked-uri'] === 'trusted-types-sink') {
+          acc.numTrustedTypesViolations++;
+        } else {
+          acc.numCspViolations++;
+        }
+        return acc;
+      },
+      { numCspViolations: 0, numTrustedTypesViolations: 0 }
+    );
+
     const hasSafetyViolations =
       (result.build.safetyWebReportJson?.[0]?.violations?.length ?? 0) > 0;
-
+    // TODO: Consider numTrustedTypesViolations once we update autoCsp and re-enable the rating.
     if (hasSafetyViolations || numCspViolations > 0) {
       securityStats.appsWithErrors++;
     } else {