Jump to content

Connect SuperML | Leeroopedia MCP: Equip your AI agents with best practices, code verification, and debugging knowledge. Powered by Leeroo — building Organizational Superintelligence. Contact us at founders@leeroo.com.

Principle:Trailofbits Fickling Severity Classification

From Leeroopedia
Revision as of 17:44, 16 February 2026 by Admin (talk | contribs) (Auto-imported from principles/Trailofbits_Fickling_Severity_Classification.md)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Knowledge Sources
Domains Security, Risk_Assessment
Last Updated 2026-02-14 14:00 GMT

Overview

A graduated risk classification system that assigns a severity level to pickle analysis results on a six-level scale from safe to overtly malicious.

Description

Severity Classification provides a standardized vocabulary for communicating pickle file risk. Rather than a binary safe/unsafe determination, it uses six ordered levels that capture the spectrum of risk:

  1. LIKELY_SAFE (0) — No unsafe operations discovered
  2. POSSIBLY_UNSAFE (1) — Some unusual patterns detected
  3. SUSPICIOUS (2) — Suspicious patterns like unused variables
  4. LIKELY_UNSAFE (3) — Non-standard imports or tampered structure
  5. LIKELY_OVERTLY_MALICIOUS (4) — Imports from known-dangerous modules (os, subprocess)
  6. OVERTLY_MALICIOUS (5) — Direct calls to exec, eval, compile, or open

The aggregate severity of a set of analysis results is the maximum severity across all individual findings. This ensures that a single highly dangerous finding dominates the overall assessment.

Usage

Use this classification system when building decision logic around pickle safety scanning. Set severity thresholds for automated pipelines (e.g., block uploads with severity >= LIKELY_UNSAFE) and use the detailed levels for human review prioritization.

Theoretical Basis

The severity scale is an ordinal enumeration with numeric values enabling comparison:

# Pseudocode: Severity as ordered enum
aggregate_severity = max(
    result.severity for result in analysis_results
)

if aggregate_severity >= LIKELY_UNSAFE:
    block_file()
elif aggregate_severity >= SUSPICIOUS:
    flag_for_review()
else:
    allow_file()

Related Pages

Implemented By

Uses Heuristic

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment