Bump bandit

Address incompatibility with Python 3.8, which happens due to the older
bandits use of the private '_ast' module instead of 'ast' [1] and the
deprecated 'Num' having been removed from the former. The bump requires
an additional nosec for a line that is misidentified as a hardcoded
password.

A note about requirements ordering is removed as it hasn't been relevant
since pip 20.3 introduced the new dependency resolver.

[1] 09b0207e2b

Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Change-Id: Icaaa3a2e24429bba5cf70c04062cfa5820c8a1bf

keystoneauth1/identity/v3/oidc.py

@@ -504,7 +504,7 @@ class OidcDeviceAuthorization(_OidcBase):
         :type code_challenge_method: string
         """
         # RFC 8628 only allows to retrieve an access_token
-        self.access_token_type = 'access_token'
+        self.access_token_type = 'access_token'  # nosec B105
         self.device_authorization_endpoint = device_authorization_endpoint
         self.code_challenge_method = code_challenge_method
 

test-requirements.txt

@@ -1,12 +1,8 @@
-# The order of packages is significant, because pip processes them in the order
-# of appearance. Changing the order has an impact on the overall integration
-# process, which may cause wedges in the gate later.
-
 hacking~=4.1.0 # Apache-2.0
 flake8-docstrings~=1.6.0 # MIT
 flake8-import-order>=0.17.1 #LGPLv3
+bandit~=1.7.6 # Apache-2.0
 
-bandit<1.6.0,>=1.1.0 # Apache-2.0
 coverage!=4.4,>=4.0 # Apache-2.0
 fixtures>=3.0.0 # Apache-2.0/BSD
 oslo.config>=5.2.0 # Apache-2.0