Yes indeed. A nice surprise to stumble upon my old blog post again here.
I don't think much has changed since then, most of the problems are still there in newer Java versions. And that's fine, in practice they don't hurt. Still imo interesting curiosities of the type system.
It would be possible to extend what FlowTracker does to also find SQL (or other) injection vulnerabilities. So it's possible the tool you're thinking of used a similar approach.
As I was developing FlowTracker, a lot of the work was driven by making tracking of specific example programs work.
I knew what result I was aiming for, but it was hard to predict what lower level mechanisms needed to be supported to make a specific example work. That often depended on internal implementation details of the JDK or libraries being used where the data was passing through.
But the HTML element linking back to the SQL script that added that data into the database wasn't like that.
I didn't expect or work towards it, that just happened, so it blew me away a little too and got me excited about what else this approach could accomplish.
I don't think much has changed since then, most of the problems are still there in newer Java versions. And that's fine, in practice they don't hurt. Still imo interesting curiosities of the type system.