For normal bug reports we tend to focus very much on the main development branch of WildFly, if an issue can be reproduced in that branch we create a bug report and resolve it against the next release when we fix it. We also don't pay too much attention to the affects version field, we will likely set it to a version we know it was reproduced in but we don't triage when the issue was first encountered etc.. At time general bugs are mostly of interest to those experiencing them.

CVEs have a different relationship, users are interested in all CVEs and there is a greater emphasis on understanding which versions are affected. However unless we proactively triage CVEs against older releases we don't know which WildFly releases are affected, additionally at times components are upgraded before we even know the older version contains a CVE so we will not even have an upstream triage opportunity.

This WildFly issue is to set up OWASL dependency scanning for CVEs across both the development branch of WildFly and a pre-defined number of older releases.

The intent being we can use this data to maintain an up to date list of known CVEs based on up to date data from publicly accessible CVE databases.