I cannot seem to understand how exactly this website works. When i check Firefox it shows me that it has 43 “components”, 38 vulnerabilities. ( SnapScope - Snap Package Security Scanner )
What are those vulnerabilities? Are they vulnerabilities in the Firefox browser or the snap package itself? Are those the vulnerabilities that are fixed in that particular version of Firefox or not? Brave browsers shows 0 vulnerabilities on that website.
This is mostly a CVE-list like plenty on the Internet.
See, I found the same one else, it’s pretty much reporting universally reported vulnerabilities that are found by security folks. 
I don’t think that it is specifically related to snap tho, because most of those are about the browser/API/packages used themselves.
As for why Brave has 0 there, I’m not fully sure.[1]
But you can always check Chromium’s current state and expect the same to be downstream.
After all, you can have several CVEs per month and some of them might not be accurately reported back to the websites listing them.
It per-se doesn’t mean that a browser is unsafe to use or that you might encounter a huge risk. Also, some of those vulnerabilities might also be there but never noticed/reported.
So, just keep your browser up to date and you should be fine. 
Maybe their team is doing a very thorough security work where they patch ASAP? Not sure about this ↩︎
Hello! I made this. Great question!
Snaps are squashfs files that contain all manner of binaries and other assets.
They’re often (but not always) created using a tool called snapcraft, but you can also smash together a bunch of files, and a snap.yaml file and use mksquashfs to create the archive, and share it.
That’s a lot of work, especially for a large and complicated project like Firefox, so rather than build the whole world from scratch, snap publishers will pull in debs. Those deb files will often come from the Ubuntu archive, PPAs or other 3rd party repositories.
SnapScope uses Syft to generate an SBOM for the snap, then Grype to scan for vulnerabilities. If Syft can find the various metadata files - the hallmarks of debs being used during creation - then Grype can correlate the deb package names with the same ones in the Ubuntu security feed, which references existing CVEs or GHSAs.
On the flip side, if Syft isn’t able to identify all the packages, then Grype may not be able to correlate those with known vulnerabilities.
I think the creator gave you a good rundown on how those CVEs are associated with firefox. It’s the CVEs of the underlying dependencies that firefox relies on to function. It could just be that Brave cannot be “unpackaged” as easily for CVE scanning.
Just because a dependency of an app has a reported CVE, doesn’t mean that the app will have a vulnerability. There’s no indication that the exact code behind the CVE is used by the app or maybe it’s patched in some other way. We can’t know for sure without diving into firefox’s code and trying to exploit it. I wouldn’t worry about it.
What’s happening with brave, is that the brave snap is literally the brave deb plus some support libraries. The brave deb doesn’t come from the Ubuntu archive so there’s no information about security issues with it.
I will continue to look at improving what the site shows, however. I appreciate the feedback, and brave is a great test case for me.
omg its Popey (or is it)! When I read your comment, its in your podcast voice lol