Hello Olivier,
Indeed, IPv6 are not covered by the current implementation of the rule in SonarJava. I consequently created the following ticket to handle them:
SONARJAVA-2783
Regarding the False Positives (FPs):
Rule S1313 is checking for "Vulnerabilities" in code, so by definition we expect such rules to have a relatively high rate of FPs. The last thing you want to let through is forgotten hardcoded IP addresses used for tests, for instance. We consider then that the responsibility of validating/invalidating the issues is given to the dev/auditors (security audit?). You will consequently probably be happy to learn that we are currently working on rethinking our approach regarding how vulnerabilities and security hotspots are handled in SonarQube. This is still ongoing work, at a very early stage, and future version of SonarQube will make things a bit clearer (and normally reduce the noise for devs). To follow development of the feature:
MMF-1266.
Now, and mainly for the reasons expressed before, the FPs on version numbers which occurs to have the adequate number of groups will stay as side effect of being on hardcoded strings. It's of course quite difficult to identify context in which the value is used, and we are not planning to update the rule to improve this aspect. We are also not going to white list the general broadcast (255.255.255.255), as we prefer to have a rule flagging everything, and let the responsibility to the security auditors to validate/invalidate the findings. Starting a white list of authorized IPs would also lead most probably to a maintenance hell.
Finally, and because this rule is making some noise while it should be considered as a hotspots, we are going to drop it from SonarWay. However, the change will only be visible with next release of SonarJava.
Cheers,
Michael