The most consequential question in Java discovery is also the easiest to answer wrong: is an install licensable Oracle Java or a free OpenJDK distribution. This is a buyer side guide to telling them apart accurately, because in 2026 the distinction decides your bill.
Oracle Java and a free OpenJDK distribution run the same applications and report similar versions, yet only one may carry a license obligation. Read the vendor identifier on every install, corroborate with path and packaging, and record update history, so a raw frightening count collapses into the true licensable set.
The most consequential question in Java discovery is also the one most easily answered wrong: is a given install Oracle Java, which may carry a license obligation, or a free OpenJDK distribution, which does not. Both run the same applications, both report similar version numbers, and both are simply called Java in casual use. Yet in 2026 the difference between them can be the difference between a contained number and a subscription priced across your entire workforce. Since January 2023 Oracle has charged per employee, counting every full time and part time employee, every contractor, and every temporary worker, at list rates from 5.25 to 15.00 dollars per employee per month. A free distribution carries none of that. Telling the two apart accurately is the heart of a defensible inventory.
The confusion is understandable, because Oracle Java and OpenJDK share a common origin and are functionally compatible. But functional sameness does not mean commercial sameness. An OpenJDK build from a free distribution can run your workload identically to Oracle Java while costing nothing, and a great deal of buyer side savings comes simply from recognizing how much of an estate is already on the free side of the line.
The fastest reliable signal is the runtime's own version output. Querying the runtime returns a version string and, crucially, a vendor identifier. Oracle Java identifies its vendor as Oracle. A free distribution names its own provider instead. This vendor field, not the version number, is the primary tell, because the version number alone can look identical across distributions. Capture the full output for every install during discovery, because the vendor line is the single most useful piece of evidence you can record, and it is the line an auditor will look for too.
Record the vendor identifier for every Java install, not just the version. The vendor line is what separates a licensable Oracle Java runtime from a free distribution, and an inventory without it cannot tell exposure from noise.
Beyond the version string, where and how a runtime was installed carries information. Oracle Java installed from Oracle's own packages tends to land in recognizable locations and registers itself in characteristic ways. Free distributions installed through package managers or shipped inside applications sit elsewhere. None of these clues is conclusive on its own, which is why the vendor identifier remains primary, but together they help you classify the ambiguous cases and spot installs that warrant a closer look. Treat path and packaging as corroboration, not proof.
Even when an install is genuinely Oracle Java, whether it creates a current obligation can depend on its update history. Before April 2019, Java SE updates were effectively free for most commercial use, and April 2019 ended free public updates for Java SE 8. The points at which Oracle began charging matter, because an Oracle Java runtime that took only updates from the free era sits in a different position than one patched with updates Oracle now charges for. Recording the update level, not just the major version, lets you reason about this accurately rather than conceding every Oracle branded install as a paid obligation.
| Signal | What it tells you | Reliability |
|---|---|---|
| Vendor identifier | Oracle or a free provider | Primary |
| Install path | How it was deployed | Corroborating |
| Update level | Which update stream was taken | Shapes obligation |
| Packaging source | Oracle package or distribution | Corroborating |
Consider an anonymized healthcare provider whose first raw scan reported thousands of Java installs and a frightening notional exposure. By capturing the vendor identifier on each one, the provider found that the overwhelming majority were free distributions deployed through standard packaging, with genuine Oracle Java present on only a few hundred hosts. Of those, many ran versions whose update history placed them in a defensible position. The real licensable set was a fraction of the raw count. The figures are indicative, but the collapse from raw count to true exposure came entirely from reading the vendor line correctly.
It is worth naming the dynamic plainly. An undifferentiated Java count always favors Oracle, because every install looks like a potential obligation until proven otherwise. The buyer side response is to insist on the distinction at every install, so that the conversation is about the genuine Oracle Java set, not the total Java set. When you can show, install by install, which runtimes are Oracle and which are free, you take away the single most effective lever an auditor has, the implication that all of it might be licensable. Precision here is not pedantry, it is defense.
Classification is not an end in itself, it is the map for a migration. Once you know which installs are genuinely Oracle Java and which are already free, the path forward is to reduce the Oracle Java set deliberately. Many Oracle Java installs run workloads that a free OpenJDK distribution would serve identically, because the two are functionally compatible. Moving those workloads to a free distribution removes them from the licensable set entirely, shrinking the population Oracle can price. The classification work tells you exactly which installs are candidates, because it has already recorded the workload each one serves. What remains after migration is the genuine residual, the Oracle Java that a specific requirement truly demands, and that residual is what you size a contained subscription against. Without accurate classification, migration is guesswork. With it, migration is a targeted operation that converts a frightening Oracle Java count into a small, defensible one.
It is not enough to know the difference between Oracle Java and a free distribution. You have to be able to show it. For every install you classify as a free distribution, retain the evidence, the captured vendor identifier, the packaging source, and the install path, so that an audit finding can be answered with a record rather than an argument. An auditor who asserts that a given runtime is licensable Oracle Java can be met immediately with your captured evidence that it is a free distribution from a named provider. This documentation turns classification from an internal belief into a defensible position, and it is what allows you to dispute an inflated finding on the spot. The same record also protects you over time, because the three year lookback in the 2026 audits reaches back further than memory, and a captured vendor line from a past sweep is far stronger evidence than a recollection of what was installed.
Some installs resist easy classification, particularly older runtimes with sparse metadata or embedded copies inside vendor software. Rather than guessing in Oracle's favor or your own, treat these as a defined queue to resolve with care. Cross reference the version string, the install path, the packaging, and where possible the deployment history to reach a defensible conclusion, and document the reasoning. Where a runtime is embedded in a third party product, the licensing answer may depend on the application vendor's own arrangement rather than on your direct obligation, which is a separate question worth resolving deliberately. The goal is never to manufacture certainty that does not exist, but to ensure that every install lands in a classification you can defend, with the evidence behind it recorded. An honest, documented uncertainty handled deliberately is far stronger in an audit than a confident guess that cannot be supported.
One reason the Oracle Java versus OpenJDK distinction is so valuable is that, for the large majority of workloads, a free distribution is a genuine substitute rather than a compromise. Oracle Java and the leading free OpenJDK distributions are built from the same source base and are functionally compatible, which means an application that runs on one almost always runs on the other without modification. That compatibility is what makes migration a realistic lever rather than a theoretical one. When classification shows that an install is Oracle Java but the workload has no specific need for an Oracle branded runtime or Oracle's update stream, moving it to a free distribution removes the obligation at little technical cost. The cases where Oracle Java is genuinely required are narrower than most organizations assume, typically tied to a specific support arrangement, a certified configuration, or a workload that demands Oracle's current security updates. Recognizing how broadly the free substitute applies is what lets you shrink the licensable set with confidence, and accurate classification is what tells you exactly where the substitute is safe and where a real requirement remains.
Distinguishing Oracle Java from OpenJDK in the wild is what turns a raw, frightening Java count into a true, defensible exposure. Read the vendor identifier first, corroborate with install path and packaging, record the update level to reason about obligation, and refuse to let an undifferentiated count stand. For the tooling that captures these signals, read tools for detecting Oracle Java installations, and for the runtimes hiding inside vendor software, see discovering Java inside third party applications. To download the full method, read our Oracle Java licensing guide for 2026.
Download our Oracle Java licensing guide for 2026 to see exactly how to classify every install and collapse a raw Java count into a true, defensible exposure number.
Download the guideFixed Fee from $18,000 or Gainshare, a share of verified savings or avoided exposure with zero retainer and no risk to you. We sit between you and Oracle and we never take vendor money.
Get a QuoteWeekly intelligence on Oracle Java licensing moves and the buyer side defenses that work.