Adds Safety dependency vulnerability checks

This change adds dependency vulnerability checks into tox. These checks
are performed by the Safety package which checks requirements files
against a vulnerability database for any issues. If any vulnerabilities
are found, tox will fail its pep8 env.

Safety: https://pyup.io/safety/

Safety Repo: https://github.com/pyupio/safety

Safety Default Vulnerability DB: https://github.com/pyupio/safety-db

Depends on https://review.opendev.org/#/c/658133

Change-Id: Ief52dd664700374c0ebbb7a4ab1f64c9940abcde

requirements.txt

@@ -5,6 +5,6 @@ jsonschema==3.0.1
 openpyxl==2.5.4
 netaddr==0.7.19
 pyyaml==5.1
-requests==2.21.0
+requests==2.22.0
 
 git+https://opendev.org/airship/spyglass-plugin-xls.git#egg=spyglass-plugin-xls

test-requirements.txt

@@ -2,7 +2,8 @@
 yapf==0.27.0
 
 # Linting
-hacking>=1.1.0,<1.2.0 # Apache-2.0
+hacking>=1.1.0,<1.2.0  # Apache-2.0
 
 # Security
 bandit>=1.5.0
+safety>=1.8.5

tox.ini

@@ -34,9 +34,17 @@ commands =
   yapf -dr {toxinidir}/spyglass {toxinidir}/setup.py
   flake8 {toxinidir}/spyglass
   bandit -r spyglass -n 5
+  safety check -r requirements.txt --bare
 whitelist_externals =
   bash
 
+[testenv:safety]
+deps =
+    safety
+commands =
+    safety check -r {toxinidir}/requirements.txt --full-report
+    safety check -r {toxinidir}/test-requirements.txt --full-report
+
 [testenv:bandit]
 deps =
     bandit