Victoriametrics 1.111
hardened
latest
Size Reduction
-205%
32.6 MB to 99.6 MB (-67.0 MB saved)
Component Reduction
-8%
37 to 40 packages (-3 removed)
Vulnerability Reduction
15%
34 to 29 vulnerabilities (5 eliminated)
Image Comparison
| Property | upstream | hardened |
|---|---|---|
| Image | docker.io/victoriametrics/victoria-metrics:v1.111.0 | ghcr.io/armorred/victoriametrics:1.111.0-hardened |
| Size | 32.6 MB | 99.6 MB |
| Layers | 3 | 19 |
| Components | 37 | 40 |
| Vulnerabilities | 34 | 29 |
| Runtime User | root | 999 |
Vulnerability Analysis
upstream
34 total
hardened
29 total
Upstream vulnerability details (34)
| CVE ID | Severity | Package | Version | Fixed In |
|---|---|---|---|---|
| ALPINE-CVE-2024-58251 | low | busybox | 1.37.0-r9 | 1.36.1-r21 |
| ALPINE-CVE-2025-46394 | low | busybox | 1.37.0-r9 | 1.36.1-r21 |
| GO-2025-3503 | medium | golang.org/x/net | v0.34.0 | 0.36.0 |
| GO-2025-3595 | medium | golang.org/x/net | v0.34.0 | 0.38.0 |
| GO-2026-4440 | unknown | golang.org/x/net | v0.34.0 | 0.45.0 |
| GO-2026-4441 | unknown | golang.org/x/net | v0.34.0 | 0.45.0 |
| GHSA-qxp5-gwg8-xv66 | medium | golang.org/x/net | v0.34.0 | 0.36.0 |
| GHSA-vvgc-356p-c3xw | medium | golang.org/x/net | v0.34.0 | 0.38.0 |
| GO-2025-3488 | high | golang.org/x/oauth2 | v0.25.0 | 0.27.0 |
| GHSA-6v2p-p543-phr9 | high | golang.org/x/oauth2 | v0.25.0 | 0.27.0 |
| ALPINE-CVE-2025-26519 | high | musl | 1.2.5-r8 | 1.2.3-r4 |
| GO-2025-3447 | unknown | stdlib | 1.23.5 | 1.22.12 |
| GO-2025-3563 | unknown | stdlib | 1.23.5 | 1.23.8 |
| GO-2025-3750 | unknown | stdlib | 1.23.5 | 1.23.10 |
| GO-2025-3751 | unknown | stdlib | 1.23.5 | 1.23.10 |
| GO-2025-3849 | unknown | stdlib | 1.23.5 | 1.23.12 |
| GO-2025-3956 | unknown | stdlib | 1.23.5 | 1.23.12 |
| GO-2025-4006 | unknown | stdlib | 1.23.5 | 1.24.8 |
| GO-2025-4007 | unknown | stdlib | 1.23.5 | 1.24.9 |
| GO-2025-4008 | unknown | stdlib | 1.23.5 | 1.24.8 |
| GO-2025-4009 | unknown | stdlib | 1.23.5 | 1.24.8 |
| GO-2025-4010 | unknown | stdlib | 1.23.5 | 1.24.8 |
| GO-2025-4011 | unknown | stdlib | 1.23.5 | 1.24.8 |
| GO-2025-4012 | unknown | stdlib | 1.23.5 | 1.24.8 |
| GO-2025-4013 | unknown | stdlib | 1.23.5 | 1.24.8 |
| GO-2025-4014 | unknown | stdlib | 1.23.5 | 1.24.8 |
| GO-2025-4015 | unknown | stdlib | 1.23.5 | 1.24.8 |
| GO-2025-4155 | unknown | stdlib | 1.23.5 | 1.24.11 |
| GO-2025-4175 | unknown | stdlib | 1.23.5 | 1.24.11 |
| GO-2026-4337 | unknown | stdlib | 1.23.5 | 1.24.13 |
| GO-2026-4340 | unknown | stdlib | 1.23.5 | 1.24.12 |
| GO-2026-4341 | unknown | stdlib | 1.23.5 | 1.24.12 |
| GO-2026-4342 | unknown | stdlib | 1.23.5 | 1.24.12 |
| GO-2026-4403 | unknown | stdlib | 1.23.5 | 1.23.9 |
Hardened vulnerability details (29)
| CVE ID | Severity | Package | Version | Fixed In |
|---|---|---|---|---|
| GO-2025-3503 | medium | golang.org/x/net | v0.34.0 | 0.36.0 |
| GO-2025-3595 | medium | golang.org/x/net | v0.34.0 | 0.38.0 |
| GO-2026-4440 | unknown | golang.org/x/net | v0.34.0 | 0.45.0 |
| GO-2026-4441 | unknown | golang.org/x/net | v0.34.0 | 0.45.0 |
| GHSA-qxp5-gwg8-xv66 | medium | golang.org/x/net | v0.34.0 | 0.36.0 |
| GHSA-vvgc-356p-c3xw | medium | golang.org/x/net | v0.34.0 | 0.38.0 |
| GO-2025-3488 | high | golang.org/x/oauth2 | v0.25.0 | 0.27.0 |
| GHSA-6v2p-p543-phr9 | high | golang.org/x/oauth2 | v0.25.0 | 0.27.0 |
| GO-2025-3750 | unknown | stdlib | 1.23.8 | 1.23.10 |
| GO-2025-3751 | unknown | stdlib | 1.23.8 | 1.23.10 |
| GO-2025-3849 | unknown | stdlib | 1.23.8 | 1.23.12 |
| GO-2025-3956 | unknown | stdlib | 1.23.8 | 1.23.12 |
| GO-2025-4006 | unknown | stdlib | 1.23.8 | 1.24.8 |
| GO-2025-4007 | unknown | stdlib | 1.23.8 | 1.24.9 |
| GO-2025-4008 | unknown | stdlib | 1.23.8 | 1.24.8 |
| GO-2025-4009 | unknown | stdlib | 1.23.8 | 1.24.8 |
| GO-2025-4010 | unknown | stdlib | 1.23.8 | 1.24.8 |
| GO-2025-4011 | unknown | stdlib | 1.23.8 | 1.24.8 |
| GO-2025-4012 | unknown | stdlib | 1.23.8 | 1.24.8 |
| GO-2025-4013 | unknown | stdlib | 1.23.8 | 1.24.8 |
| GO-2025-4014 | unknown | stdlib | 1.23.8 | 1.24.8 |
| GO-2025-4015 | unknown | stdlib | 1.23.8 | 1.24.8 |
| GO-2025-4155 | unknown | stdlib | 1.23.8 | 1.24.11 |
| GO-2025-4175 | unknown | stdlib | 1.23.8 | 1.24.11 |
| GO-2026-4337 | unknown | stdlib | 1.23.8 | 1.24.13 |
| GO-2026-4340 | unknown | stdlib | 1.23.8 | 1.24.12 |
| GO-2026-4341 | unknown | stdlib | 1.23.8 | 1.24.12 |
| GO-2026-4342 | unknown | stdlib | 1.23.8 | 1.24.12 |
| GO-2026-4403 | unknown | stdlib | 1.23.8 | 1.23.9 |
Software Bill of Materials
upstream components (37)
- alpine-baselayout 3.6.8-r1
- alpine-baselayout-data 3.6.8-r1
- alpine-keys 2.5-r0
- alpine-release 3.21.2-r0
- apk-tools 2.14.6-r2
- busybox 1.37.0-r9
- busybox-binsh 1.37.0-r9
- ca-certificates-bundle 20241121-r1
- cloud.google.com/go/compute/metadata v0.6.0
- github.com/VictoriaMetrics/VictoriaMetrics UNKNOWN
- github.com/VictoriaMetrics/easyproto v0.1.4
- github.com/VictoriaMetrics/fastcache v1.12.2
- github.com/VictoriaMetrics/metrics v1.35.1
- github.com/VictoriaMetrics/metricsql v0.83.0
- github.com/cespare/xxhash/v2 v2.3.0
- github.com/golang/snappy v0.0.4
- github.com/klauspost/compress v1.17.11
- github.com/valyala/bytebufferpool v1.0.0
- github.com/valyala/fastjson v1.6.4
- github.com/valyala/fastrand v1.1.0
- github.com/valyala/fasttemplate v1.2.2
- github.com/valyala/gozstd v1.21.2
- github.com/valyala/histogram v1.2.0
- github.com/valyala/quicktemplate v1.8.0
- golang.org/x/net v0.34.0
- golang.org/x/oauth2 v0.25.0
- golang.org/x/sys v0.29.0
- golang.org/x/text v0.21.0
- gopkg.in/yaml.v2 v2.4.0
- libcrypto3 3.3.2-r4
- libssl3 3.3.2-r4
- musl 1.2.5-r8
- musl-utils 1.2.5-r8
- scanelf 1.3.8-r1
- ssl_client 1.37.0-r9
- stdlib go1.23.5
- zlib 1.3.1-r2
hardened components (40)
- acl 2.3.2
- attr 2.5.2
- bash-interactive 5.2p37
- cloud.google.com/go/compute/metadata v0.6.0
- coreutils-full 9.5
- gcc 13.3.0
- gcc 13.3.0
- github.com/VictoriaMetrics/VictoriaMetrics UNKNOWN
- github.com/VictoriaMetrics/easyproto v0.1.4
- github.com/VictoriaMetrics/fastcache v1.12.2
- github.com/VictoriaMetrics/metrics v1.35.1
- github.com/VictoriaMetrics/metricsql v0.83.0
- github.com/cespare/xxhash/v2 v2.3.0
- github.com/golang/snappy v0.0.4
- github.com/klauspost/compress v1.17.11
- github.com/valyala/bytebufferpool v1.0.0
- github.com/valyala/fastjson v1.6.4
- github.com/valyala/fastrand v1.1.0
- github.com/valyala/fasttemplate v1.2.2
- github.com/valyala/gozstd v1.21.2
- github.com/valyala/histogram v1.2.0
- github.com/valyala/quicktemplate v1.8.0
- glibc 2.40-66
- gmp-with-cxx 6.3.0
- golang.org/x/net v0.34.0
- golang.org/x/oauth2 v0.25.0
- golang.org/x/sys v0.29.0
- golang.org/x/text v0.21.0
- gopkg.in/yaml.v2 v2.4.0
- iana-etc 20240318
- libidn2 2.3.7
- libunistring 1.2
- mailcap 2.1.54
- ncurses 6.4.20221231
- openssl 3.3.3
- readline 8.2p13
- stdlib go1.23.8
- tzdata 2025b
- victoriametrics 1.111.0
- xgcc 13.3.0
Download SBOMs
Usage
$
podman pull ghcr.io/armorred/victoriametrics:1.111
Verify Signature
$
cosign verify --key https://armorred.org/cosign.pub ghcr.io/armorred/victoriametrics:1.111