9/30/25 release branch (#3709)

* #3705 Add News article for the 8/20/5 Board minutes summary

* #3706 Add 1 new News article about joining AWG

* #3705 Add News article for the 9/3/25 Board Minutes summary

* #3707 Add 1 new CNA + Update 1 CNA's info

* #3708 Update CWG meeting times

* #3705 Update 1 link

* npm update on 8/28/2025; modifications needed for successful build

* HTML: fix warnings about lists in paragraphs

* AdpVulnerabilityEnrichment: fix embedded button issue

* npm update on 9/30/2025

* Events: add anchor for "Recurring" events section

---------

Co-authored-by: Roy Lane <[email protected]>

Author: rroberge

package-lock.json

@@ -16,40 +16,41 @@
   },
   "dependencies": {
     "@cityssm/bulma-sticky-table": "^2.1.0",
-    "@fortawesome/fontawesome-svg-core": "^6.5.2",
-    "@fortawesome/free-brands-svg-icons": "^6.5.2",
-    "@fortawesome/free-regular-svg-icons": "^6.5.1",
-    "@fortawesome/free-solid-svg-icons": "^6.5.1",
-    "@fortawesome/vue-fontawesome": "^3.0.5",
-    "@unhead/vue": "^1.11.18",
-    "axios": "^1.6.5",
+    "@fortawesome/fontawesome-svg-core": "^6.7.2",
+    "@fortawesome/free-brands-svg-icons": "^6.7.2",
+    "@fortawesome/free-regular-svg-icons": "^6.7.2",
+    "@fortawesome/free-solid-svg-icons": "^6.7.2",
+    "@fortawesome/vue-fontawesome": "^3.1.2",
+    "@unhead/vue": "^1.11.20",
+    "axios": "^1.12.2",
     "bulma": "^0.9.4",
     "bulma-timeline": "^3.0.5",
     "leaflet": "^1.9.4",
     "lodash": "^4.17.21",
     "node-sass": "^9.0.0",
-    "pinia": "^2.1.7",
+    "pinia": "^2.3.1",
     "vue": "^3.3.11",
-    "vue-gtag": "^2.0.1",
+    "vue-gtag": "^2.1.2",
     "vue-plugin-load-script": "^2.1.1",
-    "vue-router": "^4.2.5"
+    "vue-router": "^4.5.1"
   },
   "devDependencies": {
-    "@rushstack/eslint-patch": "^1.3.3",
-    "@tsconfig/node18": "^18.2.2",
-    "@types/lodash": "^4.17.7",
-    "@types/node": "^18.19.3",
-    "@vitejs/plugin-vue": "^4.5.2",
+    "@rushstack/eslint-patch": "^1.12.0",
+    "@tsconfig/node18": "^18.2.4",
+    "@types/lodash": "^4.17.20",
+    "@types/node": "^18.19.127",
+    "@vitejs/plugin-vue": "^4.6.2",
     "@vitejs/plugin-vue-jsx": "^3.1.0",
-    "@vue/eslint-config-prettier": "^8.0.0",
-    "@vue/eslint-config-typescript": "^12.0.0",
-    "@vue/tsconfig": "^0.5.0",
-    "eslint": "^8.49.0",
-    "eslint-plugin-vue": "^9.17.0",
-    "npm-run-all2": "^6.1.1",
-    "prettier": "^3.0.3",
+    "@vue/eslint-config-prettier": "^10.2.0",
+    "@vue/eslint-config-typescript": "^14.6.0",
+    "@vue/tsconfig": "^0.5.1",
+    "eslint": "^9.36.0",
+    "eslint-plugin-vue": "^10.5.0",
+    "npm-run-all2": "^6.2.6",
+    "prettier": "^3.6.2",
+    "sass-embedded": "^1.93.2",
     "typescript": "~5.3.0",
-    "vite": "^5.0.10",
-    "vue-tsc": "^1.8.25"
+    "vite": "^5.4.20",
+    "vue-tsc": "^1.8.27"
   }
-}
+}

package.json

@@ -26942,7 +26942,7 @@
     "shortName": "AxxonSoft",
     "cnaID": "CNA-2025-0045",
     "organizationName": "AxxonSoft Limited",
-    "scope": "AxxonSoft products and solutions only.",
+    "scope": "AxxonSoft products and solutions, GRUNDIG security products, and C-WERK software solutions.",
     "contact": [
       {
         "email": [
@@ -27333,5 +27333,62 @@
       ]
     },
     "country": "USA"
+  },
+  {
+    "shortName": "Almaviva",
+    "cnaID": "CNA-2025-0052",
+    "organizationName": "Almaviva S.p.A.",
+    "scope": "Vulnerabilities in Almaviva proprietary software solutions such as Joshua CybeRisk Vision, Jiano, Sofia, and Giotto, as well as Almaviva-developed IT solutions.",
+    "contact": [
+      {
+        "email": [
+          {
+            "label": "Email",
+            "emailAddr": "[email protected]"
+          }
+        ],
+        "contact": [],
+        "form": []
+      }
+    ],
+    "disclosurePolicy": [
+      {
+        "label": "Policy",
+        "language": "",
+        "url": "https://www.almaviva.it/it_IT/CNA_vulnerability_disclosure_policy"
+      }
+    ],
+    "securityAdvisories": {
+      "alerts": [],
+      "advisories": [
+        {
+          "label": "Advisories",
+          "url": "https://www.cyberiskvision.com/zero-day/"
+        }
+      ]
+    },
+    "resources": [],
+    "CNA": {
+      "isRoot": false,
+      "root": {
+        "shortName": "n/a",
+        "organizationName": "n/a"
+      },
+      "roles": [
+        {
+          "helpText": "",
+          "role": "CNA"
+        }
+      ],
+      "TLR": {
+        "shortName": "mitre",
+        "organizationName": "MITRE Corporation"
+      },
+      "type": [
+        "Vendor",
+        "Hosted Service"
+      ]
+    },
+    "country": "Italy"
   }
 ]

public/images/news/CveAutomation.jpg

@@ -1,7 +1,7 @@
 {
   "currentEvents": [
     {
-      "id": 39,
+      "id": 40,
       "displayOnHomepageOrder": 1,
       "title": "CVE Program Technical Workshop – Autumn 2025",
       "location": "Virtual",
@@ -14,6 +14,22 @@
         "repeat": false
       }
     },
+    {
+      "id": 39,
+      "title": "Consumer Working Group (CWG) Meeting",
+      "location": "Virtual",
+      "description": "CWG identifies consumer needs, evaluates the usability of CVE data, and recommends improvements to ensure that the CVE Program remains aligned with real-world use cases.<br/><br/>Meetings are held on select Thursdays, with alternating meeting times to enable worldwide participation:<br/><br/><strong>APAC/US Consumer WG at 7:00pm ET</strong><ul><li>October 2, 2025</li><li>October 23, 2025</li><li>November 13, 2025</li><li>December 4, 2025</li><li>December 25, 2025</li></ul><strong>EU/US Consumer WG at 11:00am ET</strong><ul><li>October 9, 2025</li><li>October 30, 2025</li><li>November 20, 2025</li><li>December 11, 2025</li></ul></li></ul>",
+      "permission": "private",
+      "url": "/ProgramOrganization/WorkingGroups#CVEConsumerWorkingGroupCWG",
+      "date": {
+        "start": "2025-09-01",
+        "end": "2025-12-31",
+        "repeat": {
+          "day": "Thursday",
+          "recurrence": "weekly"
+        }
+      }
+    },
     {
       "id": 38,
       "title": "Researcher Working Group (RWG) Meeting",

src/assets/data/CNAsList.json

@@ -1204,7 +1204,7 @@
         },
         {
           "month": "September",
-          "value": "6"
+          "value": "7"
         },
         {
           "month": "October",

src/assets/data/events.json

@@ -1,5 +1,95 @@
 {
   "currentNews": [
+    {
+      "id": 578,
+      "newsType": "news",
+      "title": "Almaviva Added as CVE Numbering Authority (CNA)",
+      "urlKeywords": "Almaviva Added as CNA",
+      "date": "2025-09-30",
+      "description": [
+        {
+          "contentnewsType": "paragraph",
+          "content": "<a href='/PartnerInformation/ListofPartners/partner/Almaviva'>Almaviva S.p.A.</a> is now a <a href='/ResourcesSupport/Glossary?activeTerm=glossaryCNA'>CVE Numbering Authority (CNA)</a> for vulnerabilities in Almaviva proprietary software solutions such as Joshua CybeRisk Vision, Jiano, Sofia, and Giotto, as well as Almaviva-developed IT solutions."
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "To date, <a href='/PartnerInformation/ListofPartners'>476 CNAs</a> (473 CNAs and 3 CNA-LRs) from <a href='/ProgramOrganization/CNAs'>40 countries</a> and 1 no country affiliation have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign <a href='/ResourcesSupport/Glossary?activeTerm=glossaryCVEID'>CVE Identifiers (CVE IDs)</a> and publish <a href='/ResourcesSupport/Glossary?activeTerm=glossaryRecord'>CVE Records</a> for vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. Almaviva is the 2nd CNA from Italy."
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "Almaviva’s Root is the <a href='/PartnerInformation/ListofPartners/partner/mitre'>MITRE TL-Root</a>."
+        }
+      ]
+    },
+    {
+      "id": 577,
+      "newsType": "news",
+      "title": "Join the CVE Program’s Automation Working Group (AWG)!",
+      "urlKeywords": "Join the Automation Working Group AWG",
+      "date": "2025-09-30",
+      "description": [
+        {
+          "contentnewsType": "paragraph",
+          "content": "The <a href='/ProgramOrganization/WorkingGroups#AutomationWorkingGroupAWG'>CVE Automation Working Group (AWG)</a> plays a key role in shaping how the <a href='/'>CVE Program</a> uses technology to improve automation, streamline data exchange, and modernize services for the global vulnerability management community."
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "In the past, the AWG has driven impactful initiatives such as developing the <a href='/AllResources/CveServices'>CVE Services</a> API for <a href='/ResourcesSupport/Glossary?activeTerm=glossaryCNA'>CVE Numbering Authorities (CNAs)</a>, advancing the <a href='/AllResources/CveServices#CveRecordFormat'>CVE Record Data Format</a>, and supporting automation standards that strengthen interoperability across the ecosystem. Looking ahead, the group is focused on further modernizing CVE Program services, improving efficiency for CNAs, and expanding capabilities for data consumers worldwide."
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "To support broader participation across the international CVE community, the AWG is now testing two alternate meeting times on Tuesdays: <ul><li>9:00 AM ET (one week)</li><li>4:00 PM ET (the next week)</li></ul>"
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "If one of these sessions works better for your schedule, we’d love for you to join us! To start the process, simply sign up for the AWG groups.io email list by clicking here: <a href='mailto:[email protected]?subject=Request to Join CVE AWG'>[email protected]</a>. You will need a groups.io account to sign up."
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "The AWG is open to the public&mdash;your voice and expertise can help shape the future of CVE automation and we look forward to your participation!"
+        },
+        {
+          "contentnewsType": "image",
+          "imageWidth": "",
+          "href": "/news/CveAutomation.jpg",
+          "altText": "CVE Program Automation"
+        }
+      ]
+    },
+    {
+      "id": 576,
+      "newsType": "news",
+      "title": "Minutes from CVE Board Teleconference Meeting on September 3 Now Available",
+      "urlKeywords": "CVE Board Minutes from September 3",
+      "date": "2025-09-30",
+      "description": [
+        {
+          "contentnewsType": "paragraph",
+          "content": "The <a href='/ProgramOrganization/Board'>CVE Board</a> held a teleconference meeting on September 3, 2025. Read the <a href='https://marc.info/?l=cve-editorial-board&m=175890383805223&w=2' target='_blank'>meeting minutes summary</a>."
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
+        }
+      ]
+    },
+    {
+      "id": 575,
+      "newsType": "news",
+      "title": "Minutes from CVE Board Teleconference Meeting on August 20 Now Available",
+      "urlKeywords": "CVE Board Minutes from August 20",
+      "date": "2025-09-30",
+      "description": [
+        {
+          "contentnewsType": "paragraph",
+          "content": "The <a href='/ProgramOrganization/Board'>CVE Board</a> held a teleconference meeting on August 20, 2025. Read the <a href='https://marc.info/?l=cve-editorial-board&m=175866087004529&w=2' target='_blank'>meeting minutes summary</a>."
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
+        }
+      ]
+    },
     {
       "id": 574,
       "newsType": "news",

src/assets/data/metrics.json

@@ -1,3 +1,5 @@
+@use 'variables' as *;
+
 /** Override Bulma's generic variables **/
 $body-family: "Source Sans Pro", "Public Sans Web", sans-serif;
 

src/assets/data/news.json

@@ -1,23 +1,23 @@
 <template>
   <div :id="`${sectionAnchorId}`">
     <div class="mb-2">
-      <button @click="togglePanel" class="message-header cve-accordion-header">
-        <slot></slot>
-        <button class="button message-header-button"
-          :style="{'background-color': '#162e51 !important', 'color': 'white !important'}"
+      <div style="display: flex; flex: 1; flex-direction: row; background-color: #162e51 !important;">
+        <button @click="togglePanel" class="message-header cve-accordion-header" style="flex: 1 1 auto">
+          <slot></slot>
+        </button>
+        <button @click="togglePanel" class="button message-header-button"
+          style="background-color: #162e51 !important; color: white !important; flex: 0 0 auto; align-self: center;"
           :aria-expanded="usecveRecordStore.accordionState[organizationId] ? 'true' : 'false'"
-          :aria-controls="`${organizationId}-panel`"
-        >
+          :aria-controls="`${organizationId}-panel`">
           <span class="icon is-small">
             <p :id="`expandCollapseAltText-${organizationId}`" class="is-hidden">
               {{usecveRecordStore.accordionState[organizationId] ? 'expand' : 'collapse'}}
             </p>
             <font-awesome-icon :icon="usecveRecordStore.accordionState[organizationId] ? 'minus' : 'plus'"
-              aria-hidden="false" focusable="true" :aria-labelledby="`expandCollapseAltText-${organizationId}`"
-            />
+              aria-hidden="false" focusable="true" :aria-labelledby="`expandCollapseAltText-${organizationId}`"/>
           </span>
         </button>
-      </button>
+      </div>
       <!-- Panel content is conditionally determined by role -->
       <div :id="`${organizationId}-panel`" v-if="usecveRecordStore.accordionState[organizationId]"
         class="pl-3 pr-3 pt-2 pb-5 cve-container-accordion-panel"

src/assets/style/bulmaCveCustomizations.scss

@@ -63,16 +63,14 @@
                 <iframe class="has-ratio" width="560" height="315" src="https://www.youtube.com/embed/OQB2w71JmLE" frameborder="0" allowfullscreen>
                 </iframe>
               </figure>
-              <p>
-                <a href='/ProgramOrganization/Board'>CVE Board</a> members Tod Beardsley, Shannon Sabens, and Kent Landfield provide
-                the truth and facts about the following myths about the CVE Program:
-                <ul>
-                  <li class="cve-list-no-bullet">Myth #1: The CVE Program is run entirely by the MITRE Corporation.</li>
-                  <li class="cve-list-no-bullet"> Myth #2: The CVE Program is controlled by software vendors.</li>
-                  <li class="cve-list-no-bullet">Myth #3: The CVE Program doesn’t cover enough types of vulnerabilities.</li>
-                  <li class="cve-list-no-bullet">Myth #4: The CVE Program is responsible for assigning vulnerability severity scores.</li>
-                </ul>
-              </p>
+              <a href='/ProgramOrganization/Board'>CVE Board</a> members Tod Beardsley, Shannon Sabens, and Kent Landfield provide
+              the truth and facts about the following myths about the CVE Program:
+              <ul>
+                <li class="cve-list-no-bullet">Myth #1: The CVE Program is run entirely by the MITRE Corporation.</li>
+                <li class="cve-list-no-bullet"> Myth #2: The CVE Program is controlled by software vendors.</li>
+                <li class="cve-list-no-bullet">Myth #3: The CVE Program doesn’t cover enough types of vulnerabilities.</li>
+                <li class="cve-list-no-bullet">Myth #4: The CVE Program is responsible for assigning vulnerability severity scores.</li>
+              </ul>
             </div>
             <div class="cve-white-bg-gray-border-container">
               <h3 class="title mt-4">Podcast - Becoming A CNA Myths versus Facts</h3>
@@ -88,17 +86,17 @@
                 U.S. Cybersecurity and Infrastructure Security Agency (CISA)</a>
                 about the myths and facts of partnering with the CVE Program as a
                 <router-link to="/ProgramOrganization/CNAs">CVE Numbering Authority</router-link> (CNA):
-                <ul>
-                  <li class="cve-list-no-bullet">Myth #1: Only a specific category of software vendors can become CNAs.</li>
-                  <li class="cve-list-no-bullet">
-                    Myth #2: Organizations cannot leverage their existing vulnerability management and disclosure processes when they become a CNA.
-                  </li>
-                  <li class="cve-list-no-bullet">Myth #3: The requirements for becoming a CNA are overwhelming and extensive.</li>
-                  <li class="cve-list-no-bullet">Myth #4: A fee is required to become a CNA.</li>
-                  <li class="cve-list-no-bullet">Myth #5: The CNA onboarding process is too complicated and time-consuming.</li>
-                  <li class="cve-list-no-bullet">Myth #6: Organizations cannot choose the Top-Level Root or Root they want to work with.</li>
-                </ul>
               </p>
+              <ul>
+                <li class="cve-list-no-bullet">Myth #1: Only a specific category of software vendors can become CNAs.</li>
+                <li class="cve-list-no-bullet">
+                  Myth #2: Organizations cannot leverage their existing vulnerability management and disclosure processes when they become a CNA.
+                </li>
+                <li class="cve-list-no-bullet">Myth #3: The requirements for becoming a CNA are overwhelming and extensive.</li>
+                <li class="cve-list-no-bullet">Myth #4: A fee is required to become a CNA.</li>
+                <li class="cve-list-no-bullet">Myth #5: The CNA onboarding process is too complicated and time-consuming.</li>
+                <li class="cve-list-no-bullet">Myth #6: Organizations cannot choose the Top-Level Root or Root they want to work with.</li>
+              </ul>
             </div>
             <div class="cve-white-bg-gray-border-container">
               <h3 class="title mt-4">Podcast - CNA Onboarding Process Myths Versus Facts</h3>