On 2018-07-03, Ola Lundqvist <ola@inguza.com> wrote: > jetty8 appears first 2012. > jetty9 appears first 2015. > > This means that CVE entries before 2012 are not relevant for jetty8 > and before 2015 not relevant for jetty9. That's just wrong; for instance, a CVE-2011-XXXX first found to affect jetty7 could very well not be fixed yet in jetty8. Cheers, --Seb