Sink Tank

Sink Tank is a security tool for performing source/sink (taint) analysis on Java (byte code) based applications. It is very much like the OWASP Lapse+ security tool, but has many advantages including the following:

  • Lapse+ requires an outdated version of Eclipse to run it. Sink Tank is a standalone application that should run in any 1.7+ JVM.
  • Sink Tank is extremely fast.
  • Sink Tank will compile and anlayze your JSPs, whereas Lapse+ will not.
  • Sink Tank find sources and sinks that are derived from annotations. Lapse+ does not.
  • Sink Tank operates on bytecode, which means its analysis can include your entire application including your application server and JRE libraries.
  • Sink Tank will decompile byte code so you can view the source/sink paths (more a feature than an advantage as Lapse+ operates on source code).
  • It appears Lapse+ has not been updated since 2012.

Read the User Guide to find out more.

You can download the Sink Tank distribution here.