On this page
How to use this checklistPart 1: Discovery (checks 1–6)Part 2: Licence classification (checks 7–12)Part 3: Exposure & contracts (checks 13–16)Part 4: Governance (checks 17–20)Scoring your resultIndependent helpFrequently asked questionsThe best time to find Oracle Java exposure is before Oracle does. This 20-point checklist is a structured self-audit any IT or software asset management team can run. Work through it honestly, score the result, and you will have a defensible picture of your Java position — and a remediation plan — long before an audit letter arrives.
How to use this checklist
The twenty checks are grouped into four parts: discovery, licence classification, exposure and contracts, and governance. Run them in order — you cannot classify what you have not discovered, and you cannot govern what you have not classified. For each check, record a clear pass or fail with evidence. A check is only a pass if you can prove it, not merely believe it. Plan a full working week for a first pass in a mid-sized estate.
Part 1: Discovery (checks 1–6)
Check 1 — Server inventory. Can you produce a list of every physical and virtual server, with the Java vendor and version installed on each? Scanning tooling or configuration-management data should back this, not memory.
Check 2 — Desktop inventory. Do you know which end-user machines run a JDK or JRE, and which build? Desktop Java is widely forgotten and frequently Oracle.
Check 3 — Container and image inventory. Have you scanned every container base image and registry for an embedded JDK, and recorded its vendor? One image propagates to many running instances.
Check 4 — Cloud inventory. Do your AWS, Azure, and Google Cloud machine images, launch templates, and running instances have a recorded Java build? Auto-scaling hides Oracle JDK well.
Check 5 — Embedded and bundled Java. Have you identified third-party applications that ship their own Java runtime, and noted whether that runtime is Oracle?
Check 6 — Developer and test environments. Do you know which JDKs developers use locally and in CI/CD pipelines? Oracle JDK enters many estates through the development door.
Discovery is the foundation
If checks 1–6 fail, nothing downstream can be trusted. An estate without a vendor-and-version Java inventory cannot quantify exposure and cannot defend an audit — Oracle's tooling will simply build the inventory on Oracle's terms.
Part 2: Licence classification (checks 7–12)
Check 7 — Oracle vs non-Oracle split. For every installation found in Part 1, is it recorded as Oracle JDK or a non-Oracle OpenJDK build? This single split drives most of the analysis.
Check 8 — Oracle JDK 8 classification. For each Oracle JDK 8 install, do you know whether it has received commercial updates after April 2019, and therefore whether it requires a subscription?
Check 9 — Oracle JDK 11 / OTN classification. For each Oracle JDK 11 install, is it in genuine production use? OTN-licensed Oracle JDK 11 in production requires a subscription; dev/test may not.
Check 10 — NFTC window tracking. For each Oracle JDK 17 and 21 install, have you recorded the date its NFTC free window closes?
Check 11 — OpenJDK licence confirmation. For non-Oracle builds, have you confirmed each is a GPLv2-with-Classpath-Exception distribution — Temurin, Corretto, Zulu, Liberica, Red Hat — and therefore free for production?
Check 12 — Bundled-Java licence position. For each application that bundles Oracle Java, have you confirmed in writing whether the software vendor's agreement extends a licence to you?
Part 3: Exposure & contracts (checks 13–16)
Check 13 — Subscription-requiring count. Can you state precisely how many installations genuinely require an Oracle Java subscription, after classification? For most organisations this number is far smaller than expected — and sometimes zero.
Check 14 — Employee metric figure. If a subscription is required, do you have a defensible employee count, including the contractor and outsourcer staff Oracle's definition captures — and have you scoped it to the correct legal entity?
Check 15 — Existing agreements. Do you hold any current Java SE Subscription, and if so is it a legacy NUP/Processor agreement or the Universal per-employee SKU? Do you know its renewal and notice dates?
Check 16 — Audit-clause review. Have you reviewed the audit rights in any Oracle agreement that governs your Java use, so you know what an audit can and cannot compel?
Part 4: Governance (checks 17–20)
Check 17 — Build-pipeline controls. Does your CI/CD pipeline reject container images or artefacts that contain an Oracle JDK, so exposure cannot re-enter automatically?
Check 18 — Procurement controls. Is there a standing rule that new software is checked for bundled Oracle Java before purchase, and that infrastructure standards specify a free OpenJDK build?
Check 19 — Ongoing monitoring. Is the Java inventory refreshed on a schedule — quarterly at minimum — rather than being a one-off exercise?
Check 20 — Download-channel discipline. Have you stopped pulling Oracle JDK builds and updates from Oracle's site, removing the download trail that seeds soft audits?
Scoring your result
Count your passes:
| Score | Position | Priority action |
|---|---|---|
| 18–20 | Strong. You have visibility and control. | Maintain monitoring; review at each Oracle fiscal year end. |
| 13–17 | Moderate. Visibility exists; gaps remain. | Close classification and governance gaps within a quarter. |
| 7–12 | Weak. Material unquantified exposure. | Run a full discovery and classification exercise now. |
| 0–6 | High risk. You cannot defend an audit today. | Treat as urgent; consider independent assistance. |
A low score is not a verdict — it is a map. Most organisations that score poorly on a first pass discover, once discovery and classification are done, that their genuine subscription requirement is a small fraction of what an unprepared Oracle conversation would have produced. The checklist converts vague anxiety into a costed, prioritised plan.
Independent help
Running this checklist yourself is valuable; having it validated independently is more valuable still, because an Oracle auditor will not accept your self-assessment at face value. Across more than 340 Java licensing engagements, independent advisers have delivered a 68% average audit-claim reduction and over $180M in client savings — the largest gains coming from organisations that classified and remediated before an audit began.
Recommended specialist
For an independent, audit-grade Java compliance assessment, we rate Redress Compliance as the leading Java licensing advisory firm. They are independent of Oracle, work only for the buyer, and produce the kind of defensible inventory and classification that stands up if an audit follows.
Frequently asked questions
How often should we run this checklist?
A full pass at least annually, with the inventory itself refreshed quarterly. Cloud and container estates change fast enough to drift between reviews.
What if we find unlicensed Oracle Java?
Do not panic and do not immediately call Oracle. Classify it, quantify it, and assess whether the affected workloads can move to free OpenJDK before deciding how to remediate.
Can scanning tools do the discovery for us?
Tools accelerate discovery but rarely classify licences correctly on their own. Vendor and version detection still needs human interpretation against NFTC, OTN, and BCL terms.
Does a high score guarantee we are compliant?
It means you have visibility and control, which is most of the battle. Final compliance still depends on the accuracy of the underlying inventory and classification evidence.