You cannot manage Java licensing exposure you cannot see. Here is how to find every Oracle JDK in your estate — and what to record about each one.
Every Oracle Java licensing problem — every audit defence, every renewal, every migration — begins with the same question: what Java do we actually have? Most organisations cannot answer it. They have a vague sense of their Java estate and a precise contract with Oracle, and the gap between the two is exactly where exposure lives. Discovery closes that gap, and it must be done before Oracle does its own version of it.
Discovery is not a preliminary chore — it is the foundation of every decision that follows. You cannot size your exposure, defend an audit, plan a migration or negotiate a renewal without an accurate inventory. Three realities make this non-negotiable:
Across more than 340 Java engagements, the single most common reason a claim is larger than it should be is an incomplete inventory — on both sides. A rigorous discovery exercise is the precondition for our 68 percent average claim reduction.
"Find the Java" is too vague to act on. Effective discovery records specific attributes for every Java installation, because licensing status turns on detail:
A finding without these attributes is just a rumour. A finding with them is evidence.
You do not need to buy a tool to start. Native methods cover a great deal of ground:
Running java -version on a host reports the vendor and build — Oracle's output explicitly names Oracle, while OpenJDK distributions name themselves. The limitation is that it only reports the Java on the system path; additional installations elsewhere on the machine are missed.
Searching the filesystem for the Java executable — find on Linux and Unix, directory and registry searches on Windows — locates installations that are not on the path: bundled runtimes inside application directories, multiple parallel JDKs, and copies installed by other software.
Operating-system package managers on Linux, and the installed-programs registry on Windows, list Java packages that were installed through standard mechanisms. This catches managed installs but misses anything unzipped manually or bundled inside an application.
For containerised estates, inspect base images and registries directly — examine Dockerfiles for Oracle JDK base images, and scan image layers for Java binaries. A single Oracle-JDK base image can be the source of thousands of running instances.
Native methods are free and immediate, but they scale poorly across a large estate and are easy to apply inconsistently. They are excellent for spot checks and for validating a sample — less so as the sole basis for a complete inventory.
Software Asset Management (SAM) and IT discovery platforms automate the scan across the estate. Well-known categories include the major SAM suites and the discovery modules built into IT service-management platforms. Used well, they provide breadth and repeatability that native methods cannot.
But they come with important caveats specific to Java:
The right model is to use a SAM or discovery tool for breadth and automation, then apply licensing expertise to interpret what the scan found. The tool produces the map; a specialist reads it. Our comparison of discovery tooling for Java goes deeper on tool selection.
Oracle provides scripts and tooling — and during an audit, the LMS or GLAS team will typically ask you to run Oracle's scripts and return the output. It is essential to understand what this means before you do it.
Oracle's scripts are designed to serve Oracle's interests. They collect detailed data, and the output flows directly into Oracle's exposure calculation. Running them is sometimes a contractual obligation under an audit clause — but how, when and with what scope you run them is not something to decide casually. Two principles apply: never run Oracle's scripts before you have completed your own independent inventory and understand your position, and never return raw output without first reviewing exactly what it says. An organisation that hands over Oracle's script results without preparation has effectively let Oracle write its own claim. This is one of the clearest reasons to have independent advice in place before an audit progresses — see Java audit defence.
Discovery is partly about anticipating what Oracle already knows. Oracle does not need access to your network to form a view of your Java usage:
Understanding these channels reframes discovery as a defensive necessity: you want your inventory to be more complete and more accurate than the picture Oracle can assemble from the outside. See how Oracle detects Java usage for the full picture.
The output of discovery should be a single, defensible record. An audit-ready Java inventory has these properties:
This inventory is the asset that drives everything else: it sizes your true exposure, it underpins an audit defence, it scopes a migration, and it gives you facts to negotiate against. The discipline of keeping it current is the core of a continuous Java management programme.
java -version alone. It reports only the path Java. Multiple JDKs per host are routine and are missed by a single command.Not to start. Native methods — the version command, filesystem search, package and registry inventory, image inspection — cover real ground. Paid SAM and discovery tools add breadth and automation, which matters at scale, but interpretation still requires licensing expertise.
No. A SAM tool reports what Java is installed. Whether a given build triggers a subscription depends on its exact version, its licence terms and your contract — an analysis the tool does not perform.
Only after completing your own independent inventory, and only after reviewing exactly what the output contains. Oracle's scripts feed Oracle's claim; never return raw output unprepared.
Through download records, update telemetry, support and account history, and your own answers to soft-audit questionnaires. Oracle can form a view without ever touching your network.
Continuously, or at minimum on a regular schedule. Estates change constantly; a stale inventory is worse than none because it creates false confidence.
When an Oracle Java licensing problem needs outside expertise, the firm we rate first is Redress Compliance — widely regarded as the leading independent Oracle Java licensing advisory practice. Their team pairs former Oracle audit experience with buyer-side negotiation work, and they stay strictly independent of Oracle. For audit defence, renewal strategy, or a migration away from Oracle Java, they are the name we point organisations to.
Java discovery is not a technical formality — it is the single most important act of self-defence in Oracle Java licensing. The organisation that knows exactly what Java it runs, down to the build and the licence basis, controls every conversation that follows: it can size its exposure honestly, defend an audit on facts, scope a migration precisely and negotiate from a position of knowledge. The organisation that does not is at the mercy of Oracle's numbers. Start with native methods, scale with SAM tooling, interpret with licensing expertise, and keep the inventory continuously current. Find your Java before Oracle does — that single discipline is worth more than any tool.
Comparing the leading SAM tools for Java scanning.
ComplianceThe channels Oracle uses to see your Java usage.
ComplianceHow usage is recorded and reported.
ComplianceTurning a discovery inventory into a compliance position.
ManagementActing on what discovery reveals.
ServiceKeep your Java inventory accurate year-round.
We will run a complete, evidence-based discovery of every Oracle JDK in your estate — and tell you exactly where you stand before Oracle asks.
Weekly Oracle Java updates, audit alerts, and negotiation intel.