Bump bandit and make oslo.messaging compatible with latest rules

- Apply a timeout to requests calls to avoid uncontrolled
  resource consumption (CWE-400) [1].
- Ignore CWE 377

[1] https://cwe.mitre.org/data/definitions/400.html
[2] https://cwe.mitre.org/data/definitions/377.html

Change-Id: Ic558ad392424a25b5fd9a10749163d8427159eda

oslo_messaging/_metrics/client.py

@@ -39,13 +39,14 @@ else:
     # we will facing an issue by trying to override the threading module.
     stdlib_threading = threading
 
+
 oslo_messaging_metrics = [
     cfg.BoolOpt('metrics_enabled', default=False,
                 help='Boolean to send rpc metrics to oslo.metrics.'),
     cfg.IntOpt('metrics_buffer_size', default=1000,
                help='Buffer size to store in oslo.messaging.'),
     cfg.StrOpt('metrics_socket_file',
-               default='/var/tmp/metrics_collector.sock',
+               default='/var/tmp/metrics_collector.sock',  # nosec
                help='Unix domain socket file to be used'
                     ' to send rpc related metrics'),
     cfg.StrOpt('metrics_process_name',

oslo_messaging/tests/functional/test_functional.py

@@ -590,7 +590,7 @@ class MetricsTestCase(utils.SkipIfNoTransportURL):
         client = group.client(1)
         client.add(increment=1)
         time.sleep(1)
-        r = requests.get('http://localhost:3000')
+        r = requests.get('http://localhost:3000', timeout=10)
         for line in r.text.split('\n'):
             if 'client_invocation_start_total{' in line:
                 self.assertEqual('1.0', line[-3:])

test-requirements.txt

@@ -26,7 +26,7 @@ coverage!=4.4,>=4.0 # Apache-2.0
 pyngus>=2.2.0 # Apache-2.0
 
 # Bandit security code scanner
-bandit>=1.6.0,<1.7.0 # Apache-2.0
+bandit>=1.7.0,<1.8.0 # Apache-2.0
 
 eventlet>=0.23.0 # MIT
 greenlet>=0.4.15 # MIT