Bump bandit from 1.6.2 to 1.7.4 in /requirements

[dependabot]

Bumps bandit from 1.6.2 to 1.7.4.

Release notes

Sourced from bandit's releases.

1.7.4

What's Changed

• Fix traceback in hashlib_insecure_functions by @​ericwb in PyCQA/bandit#834
• Add version 1.7.3 to dropdown by @​ericwb in PyCQA/bandit#833
• core/config: Fix ConfigError missing argument if toml is missing by @​Holzhaus in PyCQA/bandit#845
• Add 1.7.4 in issue template by @​ericwb in PyCQA/bandit#846

New Contributors

• @​Holzhaus made their first contribution in PyCQA/bandit#845

Full Changelog: PyCQA/bandit@1.7.3...1.7.4

1.7.3

What's Changed

• Rely on toml conditionally by @​sigmavirus24 in PyCQA/bandit#780
• Update issue template with latest versions by @​ericwb in PyCQA/bandit#783
• Delete release-drafter.yml by @​ericwb in PyCQA/bandit#781
• Use released version of gh-action-pypi-publish by @​ericwb in PyCQA/bandit#784
• Update publish-to-pypi.yml by @​ericwb in PyCQA/bandit#785
• Delete releasenotes directory (more openstack leftovers) by @​ericwb in PyCQA/bandit#786
• [docs] Add Getting Started chapter (migrate from README) by @​bittner in PyCQA/bandit#773
• Including CWE information by @​julianthome in PyCQA/bandit#613
• Removal of the CWEMAP dict by @​ericwb in PyCQA/bandit#789
• Fix up warnings in output of tox by @​ericwb in PyCQA/bandit#793
• Avoid printing metrics as float point numbers by @​ericwb in PyCQA/bandit#794
• Add functional test of snmp_security_check by @​ericwb in PyCQA/bandit#791
• Disable individual tests by @​mikespallino in PyCQA/bandit#597
• Change up how CWE is formatted by @​ericwb in PyCQA/bandit#788
• Check value of usedforsecurity for hashlib by @​ericwb in PyCQA/bandit#798
• Remove redundant Python 3.6 code by @​ericwb in PyCQA/bandit#802
• Add new plugin to check use of pyghmi by @​ericwb in PyCQA/bandit#803
• Check for hardcoded passwords in class attributes by @​noliverio in PyCQA/bandit#766
• Better hashlib check for Python 3.9 by @​ericwb in PyCQA/bandit#805
• Fix references to the default branch name by @​ericwb in PyCQA/bandit#810
• Cleanup the README by @​ericwb in PyCQA/bandit#809
• Show usage with no arguments by @​ericwb in PyCQA/bandit#814
• Respect color environment variables if set by @​ericwb in PyCQA/bandit#813
• Cannot seek stdin on pipe by @​tylerwince in PyCQA/bandit#496
• Test on operating systems we can support by @​ericwb in PyCQA/bandit#804
• Fix up some warnings and errors in docs by @​ericwb in PyCQA/bandit#817
• Fix root doc for readthedocs by @​ericwb in PyCQA/bandit#818
• Use versioned links to docs by @​ericwb in PyCQA/bandit#819
• Use CWE link in HTML formatter by @​ericwb in PyCQA/bandit#825
• Improve performance of linerange by @​Krock21rus in PyCQA/bandit#629
• Inaccurate message in hashlib check by @​ericwb in PyCQA/bandit#827
• Target Python >= 3.7 in pre-commit hooks by @​mkniewallner in PyCQA/bandit#830
• Center the bandit logo in readme by @​ericwb in PyCQA/bandit#823
• Build of artifact fails if raw directive used by @​ericwb in PyCQA/bandit#831

New Contributors

... (truncated)

Commits

• 1ed7906 Add 1.7.4 in issue template (#846)
• 71bc67c core/config: Fix ConfigError missing argument if toml is missing (#845)
• fcde9b5 Add version 1.7.3 to dropdown (#833)
• fbaf2ce Fix traceback in hashlib_insecure_functions (#834)
• 20a0510 Build of artifact fails if raw directive used (#831)
• d8c7e3c Center the bandit logo in readme (#823)
• a65ae17 Target Python >= 3.7 in pre-commit hooks (#830)
• 09a6ace Inaccurate message in hashlib check (#827)
• 8bad6fa Improve performance of linerange (#629)
• 528c540 Use CWE link in HTML formatter (#825)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[wbarnha]

The tests here present compelling results that indicate we have some security features needing to be improved. I suggest we replace bandit==1.x.y with bandit since 1.7.4 is not available for Python 3.6. Support for 3.6 will cease at some point. But I think continually allowing upgrades to bandit in our pipeline is critical, despite the slight annoyances it will present.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[wbarnha]

@dependabot ignore this minor version

[dependabot]

OK, I won't notify you about version 1.7.x again, unless you re-open this PR. 😢