praetorian-cli 2.1.4__tar.gz → 2.2.0__tar.gz

{praetorian_cli-2.1.4/praetorian_cli.egg-info → praetorian_cli-2.2.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: praetorian-cli
-Version: 2.1.4
+Version: 2.2.0
 Summary: For interacting with the Chariot API
 Home-page: https://github.com/praetorian-inc/praetorian-cli
 Author: Praetorian
@@ -8,13 +8,15 @@ Author-email: support@praetorian.com
 Classifier: Programming Language :: Python :: 3
 Classifier: License :: OSI Approved :: MIT License
 Classifier: Operating System :: OS Independent
-Requires-Python: >=3.9
+Requires-Python: >=3.10
 Description-Content-Type: text/markdown
 License-File: LICENSE
 Requires-Dist: click>=8.1.7
 Requires-Dist: boto3>=1.34.0
 Requires-Dist: requests>=2.31.0
 Requires-Dist: pytest>=8.0.2
+Requires-Dist: mcp>=1.12.2
+Requires-Dist: anyio>=3.0.0
 Dynamic: license-file
 
 # Praetorian CLI and SDK

{praetorian_cli-2.1.4 → praetorian_cli-2.2.0}/praetorian_cli/handlers/add.py

@@ -6,7 +6,7 @@ import click
 from praetorian_cli.handlers.chariot import chariot
 from praetorian_cli.handlers.cli_decorators import cli_handler, praetorian_only
 from praetorian_cli.handlers.utils import error
-from praetorian_cli.sdk.model.globals import AddRisk, Asset, Seed
+from praetorian_cli.sdk.model.globals import AddRisk, Asset, Seed, Kind
 
 
 @chariot.group()
@@ -18,11 +18,12 @@ def add():
 @add.command()
 @cli_handler
 @click.option('-d', '--dns', required=True, help='The DNS of the asset')
-@click.option('-n', '--name', required=False, help='The name of the asset, e.g, IP address, GitHub repo URL')
+@click.option('-n', '--name', required=False, help='The name of the asset, e.g, IP address')
+@click.option('-t', '--type', 'asset_type', required=False, help='The type of the asset (asset, repository, etc.)', default=Kind.ASSET.value)
 @click.option('-s', '--status', type=click.Choice([s.value for s in Asset]), required=False,
               default=Asset.ACTIVE.value, help=f'Status of the asset', show_default=True)
 @click.option('-f', '--surface', required=False, default='', help=f'Attack surface of the asset', show_default=False)
-def asset(sdk, name, dns, status, surface):
+def asset(sdk, name, dns, asset_type, status, surface):
     """ Add an asset
 
     Add an asset to the Chariot database. This command requires a DNS name for the asset.
@@ -43,7 +44,7 @@ def asset(sdk, name, dns, status, surface):
     """
     if not name:
         name = dns
-    sdk.assets.add(dns, name, status, surface)
+    sdk.assets.add(dns, name, asset_type, status, surface)
 
 
 @add.command()

praetorian_cli-2.2.0/praetorian_cli/handlers/agent.py

@@ -0,0 +1,63 @@
+import click
+
+from praetorian_cli.handlers.chariot import chariot
+from praetorian_cli.handlers.cli_decorators import cli_handler
+
+
+@chariot.group()
+def agent():
+    """ A collection of AI features """
+    pass
+
+
+@agent.command()
+@cli_handler
+@click.argument('key')
+def affiliation(sdk, key):
+    """ Get affiliation data for risks and assets
+
+    The AI agent retrieves affiliation information for the asset or risk. This command
+    waits up to 3 minutes for the results.
+
+    \b
+    Example usages:
+        - praetorian chariot agent affiliation "#risk#www.praetorian.com#CVE-2024-1234"
+        - praetorian chariot agent affiliation "#asset#praetorian.com#www.praetorian.com"
+    """
+    click.echo("Polling for the affiliation data for up to 3 minutes.")
+    click.echo(sdk.agents.affiliation(key))
+
+@agent.group()
+def mcp():
+    """ Chariot's MCP server """
+    pass
+
+@mcp.command()
+@cli_handler
+@click.option('--allowed', '-a', type=str, multiple=True, default=['search_by_query', '*_list', '*_get'])
+def start(sdk, allowed):
+    """ Starts the Chariot MCP server
+
+    \b
+    Example usages:
+        - praetorian chariot agent mcp start
+        - praetorian chariot agent mcp start -a search_by_term -a risk_add
+        - praetorian chariot agent mcp start -a search_* -a risk_add
+    """
+    if len(allowed) == 0:
+        allowed = None
+    sdk.agents.start_mcp_server(allowed)
+
+@mcp.command()
+@click.option('--allowed', '-a', type=str, multiple=True, default=['search_by_query', '*_list', '*_get'])
+@cli_handler
+def tools(sdk, allowed):
+    """ Lists available mcp tools
+
+    \b
+    Example usages:
+        - praetorian chariot agent mcp tools
+        - praetorian chariot agent mcp tools -a search_* -a risk_add
+    """
+    for  tool in dict.keys(sdk.agents.list_mcp_tools(allowed)):
+        click.echo(tool)

{praetorian_cli-2.1.4 → praetorian_cli-2.2.0}/praetorian_cli/handlers/chariot.py

@@ -10,6 +10,8 @@ def chariot(click_context):
     """ Command group for interacting with the Chariot product """
     # Replace the click context (previously a Keychain instance) with a Chariot
     # instance, after creating it using the Keychain instance.
-    keychain = click_context.obj
-    chariot = Chariot(keychain=keychain)
+    keychain = click_context.obj['keychain']
+    proxy = click_context.obj['proxy']
+
+    chariot = Chariot(keychain=keychain, proxy=proxy)
     click_context.obj = chariot

{praetorian_cli-2.1.4 → praetorian_cli-2.2.0}/praetorian_cli/handlers/cli_decorators.py

@@ -52,7 +52,7 @@ def cli_handler(func):
     return func
 
 
-def list_params(filter_by, has_details=True, has_filter=True):
+def list_params(filter_by, has_details=True, has_filter=True, has_type=False):
     def decorator(func):
         func = pagination(func)
         func = cli_handler(func)
@@ -60,6 +60,8 @@ def list_params(filter_by, has_details=True, has_filter=True):
             func = click.option('-f', '--filter', default='', help=f'Filter by {filter_by}')(func)
         if has_details:
             func = click.option('-d', '--details', is_flag=True, default=False, help='Show detailed information')(func)
+        if has_type:
+            func = click.option('-t', '--type', "model_type", default='', help='Select only a subset by type')(func)
         return func
 
     return decorator

{praetorian_cli-2.1.4 → praetorian_cli-2.2.0}/praetorian_cli/handlers/get.py

@@ -270,15 +270,10 @@ def credential(chariot, credential_id, category, type, format, parameters):
         - praetorian chariot get credential aws-prod --category integration --type aws --format json
         - praetorian chariot get credential ssh-key-1 --category cloud --type ssh_key --format pem
     """
-    import json
     
     params = {}
     if parameters:
-        try:
-            params = json.loads(parameters)
-        except json.JSONDecodeError:
-            click.echo("Error: Invalid JSON format for parameters")
-            return
+        params = {key: value for key, value in parameters}
     
     result = chariot.credentials.get(credential_id, category, type, [format], **params)
     output = chariot.credentials.format_output(result)

{praetorian_cli-2.1.4 → praetorian_cli-2.2.0}/praetorian_cli/handlers/list.py

@@ -12,8 +12,8 @@ def list():
 
 
 @list.command()
-@list_params('DNS')
-def assets(chariot, filter, details, offset, page):
+@list_params('DNS', has_type=True)
+def assets(chariot, filter, model_type, details, offset, page):
     """ List assets
 
    	Retrieve and display a list of assets.
@@ -24,8 +24,9 @@ def assets(chariot, filter, details, offset, page):
         - praetorian chariot list assets --filter api.example.com
         - praetorian chariot list assets --details
         - praetorian chariot list assets --page all
+        - praetorian chariot list assets --type repository
     """
-    render_list_results(chariot.assets.list(filter, offset, pagination_size(page)), details)
+    render_list_results(chariot.assets.list(filter, model_type, offset, pagination_size(page)), details)
 
 
 @list.command()

{praetorian_cli-2.1.4 → praetorian_cli-2.2.0}/praetorian_cli/main.py

@@ -22,13 +22,14 @@ from praetorian_cli.sdk.keychain import Keychain
 @click.option('--profile', default='United States', help='The profile to use in the keychain file', show_default=True)
 @click.option('--account', default=None, help='Assume role into this account')
 @click.option('--debug', is_flag=True, default=False, help='Run the CLI in debug mode')
+@click.option('--proxy', default='', help='The proxy to use in the CLI')
 @click.pass_context
 @click.version_option()
-def main(click_context, profile, account, debug):
+def main(click_context, profile, account, debug, proxy):
     if debug:
         click.echo('Running in debug mode.')
     chariot.is_debug = debug
-    click_context.obj = Keychain(profile, account)
+    click_context.obj = {'keychain': Keychain(profile, account), 'proxy': proxy}
     praetorian_cli.handlers.script.load_dynamic_commands()
 
 

{praetorian_cli-2.1.4 → praetorian_cli-2.2.0}/praetorian_cli/sdk/chariot.py

@@ -1,6 +1,4 @@
-import json
-
-import requests
+import json, requests
 
 from praetorian_cli.sdk.entities.accounts import Accounts
 from praetorian_cli.sdk.entities.agents import Agents
@@ -28,7 +26,7 @@ from praetorian_cli.sdk.model.query import Query, my_params_to_query, DEFAULT_PA
 
 class Chariot:
 
-    def __init__(self, keychain: Keychain):
+    def __init__(self, keychain: Keychain, proxy: str=''):
         self.keychain = keychain
         self.assets = Assets(self)
         self.seeds = Seeds(self)
@@ -49,6 +47,23 @@ class Chariot:
         self.keys = Keys(self)
         self.capabilities = Capabilities(self)
         self.credentials = Credentials(self)
+        self.proxy = proxy
+
+        if self.proxy:
+            import urllib3
+            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+    def _make_request(self, method: str, url: str, **kwargs) -> requests.Response:
+        """
+        Centralized method to make HTTP requests with proxy configuration.
+        Automatically applies proxy settings and verify=False if proxy is defined.
+        """
+
+        if self.proxy:
+            kwargs['proxies'] = {'http': self.proxy, 'https': self.proxy}
+            kwargs['verify'] = False
+
+        return requests.request(method, url, headers=self.keychain.headers(), **kwargs)
 
     def my(self, params: dict, pages=1) -> dict:
         final_resp = dict()
@@ -60,7 +75,7 @@ class Chariot:
 
         # The search is on data in DynamoDB, which uses DynamoDB's native offset format.
         for _ in range(pages):
-            resp = requests.get(self.url('/my'), params=params, headers=self.keychain.headers())
+            resp = self._make_request('GET', self.url('/my'), params=params)
             process_failure(resp)
             resp = resp.json()
             extend(final_resp, resp)
@@ -87,7 +102,7 @@ class Chariot:
         final_resp = dict()
 
         while pages > 0:
-            resp = requests.post(self.url('/my'), json=raw_query, params=params, headers=self.keychain.headers())
+            resp = self._make_request('POST', self.url('/my'), json=raw_query, params=params)
             if is_query_limit_failure(resp):
                 # In this block, the data size is too large for the number of records requested in raw_query['limit'].
                 # We need to halve the page size: LIMIT = LIMIT / 2
@@ -114,22 +129,22 @@ class Chariot:
         return final_resp
 
     def post(self, type: str, body: dict, params: dict = {}) -> dict:
-        resp = requests.post(self.url(f'/{type}'), json=body, params=params, headers=self.keychain.headers())
+        resp = self._make_request('POST', self.url(f'/{type}'), json=body, params=params)
         process_failure(resp)
         return resp.json()
 
     def put(self, type: str, body: dict, params: dict = {}) -> dict:
-        resp = requests.put(self.url(f'/{type}'), json=body, params=params, headers=self.keychain.headers())
+        resp = self._make_request('PUT', self.url(f'/{type}'), json=body, params=params)
         process_failure(resp)
         return resp.json()
 
     def get(self, type: str, params: dict = {}) -> dict:
-        resp = requests.get(self.url(f'/{type}'), params=params, headers=self.keychain.headers())
+        resp = self._make_request('GET', self.url(f'/{type}'), params=params)
         process_failure(resp)
         return resp.json()
 
     def delete(self, type: str, body: dict, params: dict) -> dict:
-        resp = requests.delete(self.url(f'/{type}'), json=body, params=params, headers=self.keychain.headers())
+        resp = self._make_request('DELETE', self.url(f'/{type}'), json=body, params=params)
         process_failure(resp)
         return resp.json()
 
@@ -149,14 +164,12 @@ class Chariot:
         return self.put(type, body, params)
 
     def link_account(self, username: str, value: str = '', config: dict = {}) -> dict:
-        resp = requests.post(self.url(f'/account/{username}'), json=dict(config=config, value=value),
-                             headers=self.keychain.headers())
+        resp = self._make_request('POST', self.url(f'/account/{username}'), json=dict(config=config, value=value))
         process_failure(resp)
         return resp.json()
 
     def unlink(self, username: str, value: str = '', config: dict = {}) -> dict:
-        resp = requests.delete(self.url(f'/account/{username}'), headers=self.keychain.headers(),
-                               json=dict(value=value, config=config))
+        resp = self._make_request('DELETE', self.url(f'/account/{username}'), json=dict(value=value, config=config))
         process_failure(resp)
         return resp.json()
 
@@ -170,8 +183,7 @@ class Chariot:
     def _upload(self, chariot_filepath: str, content: str) -> dict:
         # It is a two-step upload. The PUT request to the /file endpoint is to get a presigned URL for S3.
         # There is no data transfer.
-        presigned_url = requests.put(self.url('/file'), params=dict(name=chariot_filepath),
-                                     headers=self.keychain.headers())
+        presigned_url = self._make_request('PUT', self.url('/file'), params=dict(name=chariot_filepath))
         process_failure(presigned_url)
         resp = requests.put(presigned_url.json()['url'], data=content)
         process_failure(resp)
@@ -182,12 +194,12 @@ class Chariot:
         if global_:
             params |= GLOBAL_FLAG
 
-        resp = requests.get(self.url('/file'), params=params, allow_redirects=True, headers=self.keychain.headers())
+        resp = self._make_request('GET', self.url('/file'), params=params, allow_redirects=True)
         process_failure(resp)
         return resp.content
 
     def count(self, params: dict) -> dict:
-        resp = requests.get(self.url('/my/count'), params=params, headers=self.keychain.headers())
+        resp = self._make_request('GET', self.url('/my/count'), params=params)
         process_failure(resp)
         return resp.json()
 
@@ -196,11 +208,11 @@ class Chariot:
         return json.loads(self.download(f'enrichments/{type}/{filename}', True).decode('utf-8'))
 
     def purge(self):
-        requests.delete(self.url('/account/purge'), headers=self.keychain.headers())
+        self._make_request('DELETE', self.url('/account/purge'))
 
     def agent(self, agent: str, body: dict) -> dict:
         body = body | dict(agent=agent)
-        resp = requests.put(self.url('/agent'), json=body, headers=self.keychain.headers())
+        resp = self._make_request('PUT', self.url('/agent'), json=body)
         process_failure(resp)
         return resp.json()
 
@@ -210,7 +222,19 @@ class Chariot:
     def is_praetorian_user(self) -> bool:
         return self.keychain.username().endswith('@praetorian.com')
 
-
+    def start_mcp_server(self, allowable_tools=None):
+        """ Start MCP server exposing SDK methods as tools
+        
+        Arguments:
+        allowable_tools: list
+            Optional list of tool names to expose. If None, all tools are exposed.
+            Tool names should be in format 'entity.method' (e.g., 'assets.add', 'risks.list')
+        """
+        from praetorian_cli.sdk.mcp_server import MCPServer
+        import anyio
+        
+        server = MCPServer(self, allowable_tools)
+        return anyio.run(server.start)
 def is_query_limit_failure(response: requests.Response) -> bool:
     return response.status_code == 413 and 'reduce page size' in response.text
 

praetorian_cli-2.2.0/praetorian_cli/sdk/entities/accounts.py

@@ -0,0 +1,130 @@
+class Accounts:
+    """ The methods in this class are to be assessed from sdk.accounts, where sdk is an instance
+        of Chariot. """
+
+    def __init__(self, api):
+        self.api = api
+
+    def get(self, key):
+        """
+        Get details of an account by its exact key.
+
+        :param key: The exact key of the account to retrieve
+        :type key: str
+        :return: The matching account entity or None if not found
+        :rtype: dict or None
+        """
+        return self.api.search.by_exact_key(key)
+
+    def list(self, username_filter='', offset=None, pages=100000):
+        """
+        List accounts of collaborators and master accounts that the current principal can access.
+
+        Optionally filtered by username of the collaborators or the authorized accounts.
+        Filters out integration accounts (those without '@' in member field).
+
+        :param username_filter: Filter results by username of collaborators or authorized accounts
+        :type username_filter: str
+        :param offset: The offset of the page you want to retrieve results
+        :type offset: str or None
+        :param pages: The number of pages of results to retrieve. <mcp>Start with one page of results unless specifically requested.</mcp>
+        :type pages: int
+        :return: A tuple containing (list of matching account entities, next page offset)
+        :rtype: tuple
+        """
+        results, next_offset = self.api.search.by_key_prefix(f'#account#', offset, pages)
+
+        # filter out the integrations
+        results = [i for i in results if '@' in i['member']]
+
+        # filter for user emails
+        if username_filter:
+            results = [i for i in results if username_filter == i['name'] or username_filter == i['member']]
+
+        return results, next_offset
+
+    def add_collaborator(self, collaborator_email):
+        """
+        Add a collaborator to the account of the current principal.
+
+        :param collaborator_email: Email address of the collaborator to add
+        :type collaborator_email: str
+        :return: The created account entity with member information
+        :rtype: dict
+        """
+        return self.api.link_account(collaborator_email)
+
+    def delete_collaborator(self, collaborator_email):
+        """
+        Delete a collaborator from the account of the current principal.
+
+        :param collaborator_email: Email address of the collaborator to remove
+        :type collaborator_email: str
+        :return: The deleted account entity with member information
+        :rtype: dict
+        """
+        return self.api.unlink(collaborator_email)
+
+    def collaborators(self):
+        """
+        Return emails of all users that are collaborating with the current principal.
+
+        The current principal can be an assume-role account.
+
+        :return: List of collaborator email addresses
+        :rtype: list
+        """
+        accounts, _ = self.list()
+        return [a['member'] for a in accounts if a['name'] == self.current_principal()]
+
+    def authorized_accounts(self):
+        """
+        Return emails of all users that the current principal is authorized to access.
+
+        The current principal can be an assume-role account.
+
+        :return: List of authorized account email addresses
+        :rtype: list
+        """
+        accounts, _ = self.list()
+        return [a['name'] for a in accounts if a['member'] == self.current_principal()]
+
+    def assume_role(self, account_email):
+        """
+        Switch session to assume-role account.
+
+        :param account_email: Email address of the account to assume role into
+        :type account_email: str
+        :return: None
+        :rtype: None
+        """
+        self.api.keychain.assume_role(account_email)
+
+    def unassume_role(self):
+        """
+        Switch back to the login principal account.
+
+        :return: None
+        :rtype: None
+        """
+        self.api.keychain.unassume_role()
+
+    def current_principal(self):
+        """
+        Tell you which account the current session is operating on.
+
+        Returns the assume-role account if one is active, otherwise the login principal.
+
+        :return: Email address of the current principal account
+        :rtype: str
+        """
+        return self.api.keychain.account if self.api.keychain.account else self.api.keychain.username()
+
+    def login_principal(self):
+        """
+        Tell you the user account that is used to login, regardless of assume-role account.
+
+        :return: Email address of the login principal account
+        :rtype: str
+        """
+        return self.api.keychain.username()

{praetorian_cli-2.1.4 → praetorian_cli-2.2.0}/praetorian_cli/sdk/entities/agents.py

@@ -1,6 +1,8 @@
 from time import sleep, time
+import asyncio
 
 from praetorian_cli.sdk.model.globals import AgentType
+from praetorian_cli.sdk.mcp_server import MCPServer
 
 
 class Agents:
@@ -33,3 +35,11 @@ class Agents:
 
     def affiliation_result(self, key: str) -> dict:
         return self.api.files.get_utf8(self.affiliation_filename(AgentType.AFFILIATION.value, key))
+
+    def start_mcp_server(self, allowable_tools=None):
+        server = MCPServer(self.api, allowable_tools)
+        return asyncio.run(server.start())
+
+    def list_mcp_tools(self, allowable_tools=None):
+        server = MCPServer(self.api, allowable_tools)
+        return server.discovered_tools

praetorian_cli-2.2.0/praetorian_cli/sdk/entities/assets.py

@@ -0,0 +1,132 @@
+from praetorian_cli.sdk.model.globals import Asset, Kind
+from praetorian_cli.sdk.model.query import Relationship, Node, Query, asset_of_key, RISK_NODE, ATTRIBUTE_NODE
+
+
+class Assets:
+    """ The methods in this class are to be assessed from sdk.assets, where sdk is an instance
+    of Chariot. """
+
+    def __init__(self, api):
+        self.api = api
+
+    def add(self, group, identifier, type=Kind.ASSET.value, status=Asset.ACTIVE.value, surface=''):
+        """
+        Add an asset to the account.
+
+        :param group: The DNS or group identifier (e.g., domain name, repository URL)
+        :type group: str
+        :param identifier: The specific identifier (e.g., IP address, repository name)
+        :type identifier: str
+        :param type: Asset type from Kind enum (defaults to 'asset', can be 'addomain', 'repository')
+        :type type: str
+        :param status: Asset status from Asset enum ('A', 'F', 'D', 'P', 'FR')
+        :type status: str
+        :param surface: Attack surface classification (e.g., 'internal', 'external', 'web', 'api')
+        :type surface: str
+        :return: The asset that was added
+        :rtype: dict
+        """
+        return self.api.upsert('asset', dict(group=group, identifier=identifier, status=status, surface=[surface], type=type))[0]
+
+    def get(self, key, details=False):
+        """
+        Get details of an asset by key.
+
+        :param key: Entity key in format #asset#{dns}#{name}
+        :type key: str
+        :param details: Whether to fetch additional details like attributes and risks
+        :type details: bool
+        :return: The asset matching the specified key
+        :rtype: dict
+        """
+        asset = self.api.search.by_exact_key(key, details)
+        if asset and details:
+            asset['associated_risks'] = self.associated_risks(key)
+        return asset
+
+    def update(self, key, status=None, surface=None):
+        """
+        Update an asset.
+
+        :param key: Entity key in format #asset#{dns}#{name}. If you supply a prefix that matches multiple assets, all of them will be updated
+        :type key: str
+        :param status: Asset status from Asset enum ('A', 'F', 'D', 'P', 'FR'), if None status is not updated
+        :type status: str or None
+        :param surface: Attack surface classification (e.g., 'internal', 'external'), if None surface is not updated
+        :type surface: str or None
+        :return: None
+        :rtype: None
+        """
+        if status:
+            self.api.upsert('asset', dict(key=key, status=status))
+        if surface:
+            self.api.attributes.add(key, 'surface', surface)
+
+    def delete(self, key):
+        """
+        Delete an asset.
+
+        :param key: Entity key in format #asset#{dns}#{name}. If you supply a prefix that matches multiple assets, all of them will be deleted
+        :type key: str
+        :return: The asset that was deleted
+        :rtype: dict
+        """
+        return self.api.delete_by_key('asset', key)
+
+    def list(self, prefix_filter='', asset_type='', offset=None, pages=100000) -> tuple:
+        """
+        List assets.
+
+        :param prefix_filter: Supply this to perform prefix-filtering of the asset keys after the "#asset#" portion of the asset key. Asset keys read '#asset#{dns}#{name}'
+        :type prefix_filter: str
+        :param asset_type: The type of asset to filter by
+        :type asset_type: str
+        :param offset: The offset of the page you want to retrieve results. If this is not supplied, this function retrieves from the first page
+        :type offset: str or None
+        :param pages: The number of pages of results to retrieve. <mcp>Start with one page of results unless specifically requested.</mcp>
+        :type pages: int
+        :return: A tuple containing (list of assets, next page offset)
+        :rtype: tuple
+        """
+        dns_prefix = ''
+        if prefix_filter:
+            dns_prefix = f'group:{prefix_filter}'
+        if asset_type == '':
+            asset_type = Kind.ASSET.value
+        return self.api.search.by_term(dns_prefix, asset_type, offset, pages)
+
+    def attributes(self, key):
+        """
+        Get attributes associated with an asset.
+
+        :param key: Entity key in format #asset#{dns}#{name}
+        :type key: str
+        :return: List of attributes associated with the asset
+        :rtype: list
+        """
+        attributes, _ = self.api.search.by_source(key, Kind.ATTRIBUTE.value)
+        return attributes
+
+    def associated_risks(self, key):
+        """
+        Get risks associated with an asset.
+
+        :param key: Entity key in format #asset#{dns}#{name}
+        :type key: str
+        :return: List of risks associated with the asset (both directly and indirectly via attributes)
+        :rtype: list
+        """
+        # risks directly linked to the asset
+        risks_from_this = Relationship(Relationship.Label.HAS_VULNERABILITY, source=asset_of_key(key))
+        query = Query(Node(RISK_NODE, relationships=[risks_from_this]))
+        risks, _ = self.api.search.by_query(query)
+
+        # risks indirectly linked to this asset via asset attributes
+        attributes_from_this = Relationship(Relationship.Label.HAS_ATTRIBUTE, source=asset_of_key(key))
+        attributes = Node(ATTRIBUTE_NODE, relationships=[attributes_from_this])
+        risks_from_attributes = Relationship(Relationship.Label.HAS_VULNERABILITY, source=attributes)
+        query = Query(Node(RISK_NODE, relationships=[risks_from_attributes]))
+        indirect_risks, _ = self.api.search.by_query(query)
+
+        risks.extend(indirect_risks)
+        return risks