Hi
I have compared the lists for jetty, jetty8 and jetty9.
jetty8 appears first 2012.
jetty9 appears first 2015.
This means that CVE entries before 2012 are not relevant for jetty8 and before 2015 not relevant for jetty9.
When I look at the open issues for jetty they look identical, but the resolved list is a little different.
jetty9 do not have CVE-2015-2080 marked as resolved. Should be checked to see that this has not been missed.
The ones you mention are now listed for all of them and I think that is relevant.
But I do not see the difference you mention for jetty8 and jetty9 (just one package diff).
The list is much longer for jetty, simply because it has been around for a longer period, but I do not see the other difference.
Or am I looking in the wrong place when comparing them?
I'm comparing the following pages:
Best regards
// Ola