Blacklist bandit 1.6.0 and cap Sphinx on Python2

There's a regression[0] in bandit 1.6.0 which causes bandit to stop
respecting excluded directories, and our tests throw a bunch of
violations. Blacklist this version, but allow newer versions as there is
already a pull request[1] to fix it, and I expect it will be included in
the next release.

Also fix the requirements job which was broken by
https://review.opendev.org/657890 adding a cap on Sphinx on Python 2.

[0] https://github.com/PyCQA/bandit/issues/488
[1] https://github.com/PyCQA/bandit/pull/489

Change-Id: Ieabcd4e8c5e5354125a63e89b9b60931c760858a
(cherry picked from commit 011fa22c42506e63229cca7e5fc65f81b6e0aabf)

1 files changed, 3 insertions, 2 deletions

diff --git a/test-requirements.txt b/test-requirements.txt
index 16e09fd26..9876d43a5 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -4,7 +4,7 @@
 
 # Hacking already pins down pep8, pyflakes and flake8
 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
-bandit>=1.1.0 # Apache-2.0
+bandit!=1.6.0,>=1.1.0 # Apache-2.0
 coverage!=4.4,>=4.0 # Apache-2.0
 fixtures>=3.0.0 # Apache-2.0/BSD
 kombu!=4.0.2,>=4.0.0 # BSD
@@ -17,7 +17,8 @@ os-testr>=1.0.0 # Apache-2.0
 oslotest>=3.2.0 # Apache-2.0
 qpid-python>=0.26;python_version=='2.7' # Apache-2.0
 psycopg2>=2.6.2 # LGPL/ZPL
-sphinx!=1.6.6,>=1.6.2 # BSD
+sphinx!=1.6.6,>=1.6.2;python_version>='3.4' # BSD
+sphinx!=1.6.6,>=1.6.2,<2.0.0;python_version=='2.7' # BSD
 testrepository>=0.0.18 # Apache-2.0/BSD
 testscenarios>=0.4 # Apache-2.0/BSD
 testtools>=2.2.0 # MIT