Can you track a bug from a Java class to its origin (e.g. a field in a JSP page)?

I need to track a bug e.g. SQL injection vulnerability from the Java class where a SQL select statement with username&password is being dynamically created, back to the origin of the input (i.e. eg username & password fields in a JSP page), so that I could try and exploit this vulnerability via black box testing. Does anyone have any resources/advice to what I should be looking at?

Thanks a lot