Now alerts about exposing exception.getMessage() in servlet responses are split out of java/stack-trace-exposure into its own alert java/error-message-exposure because this is a better fit.

java/ql/lib/semmle/code/java/dataflow/ApiSources.qll

@@ -19,5 +19,6 @@ private module AllApiSources {
   private import semmle.code.java.security.InsecureTrustManager
   private import semmle.code.java.security.JWT
   private import semmle.code.java.security.StackTraceExposureQuery
+  private import semmle.code.java.security.SensitiveDataExposureThroughErrorMessageQuery
   private import semmle.code.java.security.ZipSlipQuery
 }

java/ql/lib/semmle/code/java/security/SensitiveDataExposureThroughErrorMessageQuery.qll

@@ -0,0 +1,34 @@
+/** Provides predicates to reason about exposure of error messages. */
+
+import java
+private import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.InformationLeak
+
+/**
+ * A get message source node.
+ */
+private class GetMessageFlowSource extends ApiSourceNode {
+  GetMessageFlowSource() {
+    exists(Method method | this.asExpr().(MethodCall).getMethod() = method |
+      method.hasName("getMessage") and
+      method.hasNoParameters() and
+      method.getDeclaringType().hasQualifiedName("java.lang", "Throwable")
+    )
+  }
+}
+
+private module GetMessageFlowSourceToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof GetMessageFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
+}
+
+private module GetMessageFlowSourceToHttpResponseSinkFlow =
+  TaintTracking::Global<GetMessageFlowSourceToHttpResponseSinkFlowConfig>;
+
+/**
+ * Holds if there is a call to `getMessage()` that then flows to a servlet response.
+ */
+predicate getMessageFlowsExternally(DataFlow::Node externalExpr, GetMessageFlowSource getMessage) {
+  GetMessageFlowSourceToHttpResponseSinkFlow::flow(getMessage, externalExpr)
+}

java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll

@@ -93,32 +93,3 @@ predicate stringifiedStackFlowsExternally(DataFlow::Node externalExpr, Expr stac
     StackTraceStringToHttpResponseSinkFlow::flow(DataFlow::exprNode(stackTraceString), externalExpr)
   )
 }
-
-/**
- * A get message source node.
- */
-private class GetMessageFlowSource extends ApiSourceNode {
-  GetMessageFlowSource() {
-    exists(Method method | this.asExpr().(MethodCall).getMethod() = method |
-      method.hasName("getMessage") and
-      method.hasNoParameters() and
-      method.getDeclaringType().hasQualifiedName("java.lang", "Throwable")
-    )
-  }
-}
-
-private module GetMessageFlowSourceToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof GetMessageFlowSource }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
-}
-
-private module GetMessageFlowSourceToHttpResponseSinkFlow =
-  TaintTracking::Global<GetMessageFlowSourceToHttpResponseSinkFlowConfig>;
-
-/**
- * Holds if there is a call to `getMessage()` that then flows to a servlet response.
- */
-predicate getMessageFlowsExternally(DataFlow::Node externalExpr, GetMessageFlowSource getMessage) {
-  GetMessageFlowSourceToHttpResponseSinkFlow::flow(getMessage, externalExpr)
-}