Cap bandit for stein and bump lower-constraints

The bandit package no longer supports python 2.7 in the latest version.
This patch caps the version of bandit to < 1.6.3.
Then we cannot allow >=1.6.3 as it requires a newer version of pyyaml
than the stein upper-constraints will allow.
Update tox config for new bandit release.

Change-Id: Iee2cdc7c149eedb3d62007e4815b3b94c1b0c49e

lower-constraints.txt

@@ -3,10 +3,10 @@ alembic==0.8.10
 amqp==2.2.2
 appdirs==1.4.3
 asn1crypto==0.24.0
-astroid==1.3.8
+astroid==1.6.0
 automaton==1.14.0
 Babel==2.3.4
-bandit==1.4.0
+bandit==1.1.0
 bcrypt==3.1.4
 beautifulsoup4==4.6.0
 cachetools==2.0.1
@@ -34,7 +34,7 @@ eventlet==0.20.0
 extras==1.0.0
 fasteners==0.14.1
 fixtures==3.0.0
-flake8==2.5.5
+flake8==2.6.2
 flake8-import-order==0.12
 Flask==0.10
 future==0.16.0
@@ -44,7 +44,7 @@ gitdb2==2.0.3
 GitPython==2.1.8
 greenlet==0.4.13
 gunicorn==19.0.0
-hacking==0.12.0
+hacking==1.1.0
 idna==2.6
 imagesize==1.0.0
 ipaddress==1.0.17
@@ -62,7 +62,7 @@ linecache2==1.0.0
 logilab-common==1.4.1
 logutils==0.3.5
 Mako==1.0.7
-MarkupSafe==1.0
+MarkupSafe==1.1.0
 mccabe==0.4.0
 mock==2.0.0
 monotonic==1.4
@@ -88,7 +88,7 @@ oslo.messaging==6.3.0
 oslo.middleware==3.31.0
 oslo.policy==1.30.0
 oslo.reports==1.18.0
-oslo.serialization==2.18.0
+oslo.serialization==2.28.1
 oslo.service==1.30.0
 oslo.upgradecheck==0.1.0
 oslo.utils==3.33.0
@@ -107,7 +107,7 @@ psutil==5.4.3
 pyasn1==0.1.8
 pyasn1-modules==0.0.6
 pycadf==2.7.0
-pycodestyle==2.3.1
+pycodestyle==2.0.0
 pycparser==2.18
 pydot==1.2.4
 pyflakes==1.0.0
@@ -166,7 +166,7 @@ urllib3==1.22
 vine==1.1.4
 voluptuous==0.11.1
 waitress==1.1.0
-warlock==1.3.0
+warlock==1.3.1
 WebOb==1.7.1
 WebTest==2.0.29
 Werkzeug==0.14.1

requirements.txt

@@ -25,7 +25,7 @@ oslo.messaging>=6.3.0 # Apache-2.0
 oslo.middleware>=3.31.0 # Apache-2.0
 oslo.policy>=1.30.0 # Apache-2.0
 oslo.reports>=1.18.0 # Apache-2.0
-oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
+oslo.serialization>=2.28.1 # Apache-2.0
 oslo.upgradecheck>=0.1.0 # Apache-2.0
 oslo.utils>=3.33.0 # Apache-2.0
 pyasn1!=0.2.3,>=0.1.8 # BSD
@@ -38,7 +38,8 @@ pyOpenSSL>=17.1.0 # Apache-2.0
 WSME>=0.8.0 # MIT
 Jinja2>=2.10 # BSD License (3 clause)
 taskflow>=2.16.0 # Apache-2.0
-diskimage-builder!=1.6.0,!=1.7.0,!=1.7.1,>=1.1.2 # Apache-2.0
+diskimage-builder!=1.6.0,!=1.7.0,!=1.7.1,>=1.1.2,<3.0.0;python_version=='2.7' # Apache-2.0
+diskimage-builder!=1.6.0,!=1.7.0,!=1.7.1,>=1.1.2;python_version>='3.0' # Apache-2.0
 futures>=3.0.0;python_version=='2.7' or python_version=='2.6' # BSD
 castellan>=0.16.0 # Apache-2.0
 tenacity>=4.9.0  # Apache-2.0

test-requirements.txt

@@ -1,7 +1,7 @@
 # The order of packages is significant, because pip processes them in the order
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
-hacking!=0.13.0,<0.14,>=0.12.0,<2 # Apache-2.0
+hacking>=1.1.0,<1.2.0 # Apache-2.0
 requests-mock>=1.2.0 # Apache-2.0
 coverage!=4.4,>=4.0 # Apache-2.0
 flake8-import-order==0.12 # LGPLv3
@@ -14,7 +14,7 @@ testtools>=2.2.0 # MIT
 testresources>=2.0.0 # Apache-2.0/BSD
 testscenarios>=0.4 # Apache-2.0/BSD
 doc8>=0.6.0 # Apache-2.0
-bandit>=1.1.0 # Apache-2.0
+bandit>=1.1.0,<1.6.0 # Apache-2.0
 tempest>=17.1.0 # Apache-2.0
 # Required for pep8 - doc8 tests
 sphinx!=1.6.6,!=1.6.7,>=1.6.2,<2.0.0;python_version=='2.7' # BSD

tox.ini

@@ -78,7 +78,7 @@ commands = flake8
            doc/source octavia  CONSTITUTION.rst HACKING.rst README.rst \
            TESTING.rst
            # Run security linter
-           bandit -r octavia -ll -ii -x 'octavia/tests/*'
+           {[testenv:bandit]commands}
            # Make sure specs follow our template
            find . -type f -name "*.pyc" -delete
            python -m unittest specs-tests.test_titles
@@ -137,7 +137,7 @@ commands =
 
 [testenv:bandit]
 basepython = python3
-commands = bandit -r octavia -ll -ii -x octavia/tests {posargs}
+commands = bandit -r octavia -ll -ii -x tests
 
 [flake8]
 ignore = H104