From 838768c76e887ce455f325c49e685a7046bd0107 Mon Sep 17 00:00:00 2001
From: Matt Riedemann <mriedem.os@gmail.com>
Date: Thu, 9 May 2019 10:02:44 -0400
Subject: [PATCH] Fix bandit runs with 1.6.0

The -x option for bandit changed in 1.6.0 and now
supports glob patterns so use that to correctly
exclude test code from bandit scans.

Since this change requires bandit>=1.6.0, we have
to also fix the networkx requirement to pass the
requirements-check job so that the networkx requirement
matches what is in global-requirements from change
I0a9700926c9a0db93e782c853c33f1aaee3d4876.

Change-Id: I4fc1166daee5d8739296419216d11d684be27c0a
Closes-Bug: #1828419
---
 requirements.txt      | 4 +++-
 test-requirements.txt | 2 +-
 tox.ini               | 4 ++--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 365539840..5694ed1f1 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -45,6 +45,8 @@ stevedore>=1.28.0 # Apache-2.0
 taskflow>=3.1.0 # Apache-2.0
 WebOb>=1.8.5 # MIT
 WSME>=0.9.2 # MIT
-networkx>=1.11 # BSD
+# NOTE(fdegir): NetworkX 2.3 dropped support for Python 2
+networkx>=1.11,<2.3;python_version<'3.0'  # BSD
+networkx>=1.11;python_version>='3.4' # BSD
 microversion_parse>=0.2.1 # Apache-2.0
 futurist>=1.8.0 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index a6810b6ac..1a5854f69 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -13,4 +13,4 @@ testscenarios>=0.5.0 # Apache-2.0/BSD
 testtools>=2.3.0 # MIT
 stestr>=2.0.0 # Apache-2.0
 os-api-ref>=1.4.0 # Apache-2.0
-bandit>=1.1.0 # Apache-2.0
+bandit>=1.6.0 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index 0a8c5b926..da314ada3 100644
--- a/tox.ini
+++ b/tox.ini
@@ -25,7 +25,7 @@ basepython = python3
 commands =
     doc8 doc/source/ CONTRIBUTING.rst HACKING.rst README.rst
     flake8
-    bandit -r watcher -x tests -n5 -ll -s B320
+    bandit -r watcher -x watcher/tests/* -n5 -ll -s B320
 
 [testenv:venv]
 basepython = python3
@@ -103,7 +103,7 @@ commands = sphinx-build -a -W -E -d releasenotes/build/doctrees -b html releasen
 [testenv:bandit]
 basepython = python3
 deps = -r{toxinidir}/test-requirements.txt
-commands = bandit -r watcher -x tests -n5 -ll -s B320
+commands = bandit -r watcher -x watcher/tests/* -n5 -ll -s B320
 
 [testenv:lower-constraints]
 basepython = python3