[stable-only] Cap bandit and fix lower-constraints

The 1.6.3 [1] release has dropped support for py2 [2] but the release
is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2
when using py2.

Contradicting hacking version replaced (in lower-constraints.txt to
match with test-requirements.txt).

[1] https://github.com/PyCQA/bandit/releases/tag/1.6.3
[2] https://github.com/PyCQA/bandit/pull/615
[3] https://github.com/PyCQA/bandit/issues/663
[4] https://github.com/PyCQA/bandit/issues/665

Change-Id: I2df0f9778b029ea369492649041ed375dccef2a7

lower-constraints.txt

@@ -1,5 +1,5 @@
 bandit==1.4.0
-hacking==0.12.0
+hacking==1.1.0
 keystoneauth1==3.9.0
 oslo.config==5.2.0
 oslo.i18n==3.15.3

test-requirements.txt

@@ -7,4 +7,4 @@ oslotest>=3.2.0 # Apache-2.0
 stestr>=1.0.0 # Apache-2.0
 
 # Bandit security code scanner
-bandit>=1.4.0 # Apache-2.0
+bandit>=1.4.0,<=1.6.2 # Apache-2.0