fix: replace zipfile with pyzipper in minimize_vmray_results.py so output archive is AES-encrypted

zipfile.ZipFile.setpassword() only affects reads; writing encrypted entries requires pyzipper with WZ_AES encryption. Add pyzipper to scripts optional dependencies.

CHANGELOG.md

@@ -48,8 +48,8 @@
 - fix: remove unreachable backports.functools_lru_cache fallback and dead dependency @williballenthin
 - fix: Scopes.from_dict uses cls instead of self so subclasses return the correct type @williballenthin
 - fix: correct wrong dict key in VMRay _compute_monitor_threads assertion (used thread_id instead of process_id) @williballenthin
-fix: replace assert with isinstance guard in get_callee for invalid MethodSpec tokens @williballenthin
 - fix: replace assert with isinstance guard in get_callee for invalid MethodSpec tokens @williballenthin
+- fix: replace zipfile with pyzipper in minimize_vmray_results.py so output archive is AES-encrypted @williballenthin (SURF-88)
 - fix: assign yara_strings/yara_condition to empty string when Some has cmin=0 to prevent UnboundLocalError @williballenthin (SURF-87)
 - fix: parenthesize s_type checks in capa2yara.py so kid.name != "Some" guard applies to And/Or/Not uniformly @williballenthin (SURF-86)
 - fix: correct operator precedence in FeatureRegexRegistryControlSetMatchIncomplete to avoid false positives on unrelated currentcontrolset patterns @williballenthin (SURF-85)

pyproject.toml

@@ -163,6 +163,7 @@ scripts = [
     "stix2==3.0.1",
     "sarif_om==1.0.4",
     "requests>=2.32.4",
+    "pyzipper>=0.3.6",
 ]
 ghidra = [
     "pyghidra>=3.0.0",

scripts/minimize_vmray_results.py

@@ -19,10 +19,11 @@ Extract files relevant to capa analysis from VMRay Analysis Archive and create a
 
 import sys
 import logging
-import zipfile
 import argparse
 from pathlib import Path
 
+import pyzipper
+
 from capa.features.extractors.vmray import DEFAULT_ARCHIVE_PASSWORD, VMRayAnalysis
 
 logger = logging.getLogger(__name__)
@@ -55,11 +56,16 @@ def main(argv=None):
     sample_sha256: str = vmra.submission_meta.hash_values.sha256.lower()
 
     new_zip_name = f"{analysis_archive.parent / analysis_archive.stem}_min.zip"
-    with zipfile.ZipFile(new_zip_name, "w") as new_zip:
+    with pyzipper.AESZipFile(
+        new_zip_name, "w", compression=pyzipper.ZIP_DEFLATED, encryption=pyzipper.WZ_AES
+    ) as new_zip:
+        new_zip.setpassword(args.password.encode("ascii"))
         new_zip.writestr("logs/summary_v2.json", sv2_json)
         new_zip.writestr("logs/flog.xml", flog_xml)
-        new_zip.writestr(f"internal/static_analyses/{sample_sha256}/objects/files/{sample_sha256}", sample_file_buf)
-        new_zip.setpassword(args.password.encode("ascii"))
+        new_zip.writestr(
+            f"internal/static_analyses/{sample_sha256}/objects/files/{sample_sha256}",
+            sample_file_buf,
+        )
 
     # ensure capa loads the minimized archive
     assert isinstance(VMRayAnalysis(Path(new_zip_name)), VMRayAnalysis)