Java Installations and License Risks
Dear JDisc friends,
as you might know, Oracle has recently changed its license terms for Java usage. Most people think of the Java virtual machine as free software. However, that was not always true and is definitely not true with Oracle’s recent changes.
In the good old days, you just went to the Java page and downloaded the JDK or JRE. Install it and it is ready to use. But even then it was not always for free. For instance, when you have been using commercial features, then you should have obtained a license for the Java installation. Sun Microsystems was actually not really enforcing the license, but in fact, you have not been compliant if you used commercial features and not license them.
Since January 2019, Oracle no longer offers public updates for commercial users of Java SE 8. That means no free updates for commercial use anymore! The same seems to be true if you are using the more recent version Java 9, 10, 11 or above.
Just imagine, you have an older (still free for commercial use) installation of the Java SE 8 installed. You might think, you are fine. But if you have the automatic updates activated, then the auto-update feature might install the latest (not free) version for the Java SE 8. So you might be incompliant without knowing it.
Therefore, it is a prerequisite to know your Java installations in order to have an estimation of your license risk! You need to know whether you are using an Oracle JVM, an IBM J9, a JRockit, an OpenJDK installation or an Azul Zulu/Zing JVM! Together with the version, you can make an assessment of the risk for your Java installation!
JDisc Discovery can get detailed information about Java installations. As a prerequisite, we need access via „Remote Login“ (on Windows via our agent and on Unix via SSH or if you like it un-secure telnet). Whenever we find a Java installation, we run a „java -version“ command in order to get details about the vendor, the version and the edition.
Besides checking for Java installations, we also check for processes running Java directly by using java.exe or indirectly by embedding the Java runtime into your application. When the JVM is embedded, then we can’t get the java command line parameters from the parent process. In this case, we use the jcmd command (if available) to determine the Java command line. Note that the Java command line might include the option that enables commercial features. In this case, even a „free“ version of Java needs to be licensed.
Once you have scanned computers JDisc Discovery evaluates the Java installations that it found and flags installations and processes at risk.
The screenshot above displays the Java installations on my „Java test machine from hell“. I installed different versions and Java flavors. The installations marked with a red checkmark might be at risk and require further reviews.
The next screenshot displays the list of all Java processes that JDisc Discovery found on the device.
Processes with a green checkmark do not use commercial features. Processes in red definitely have the commercial features option enabled. We don’t have enough information to make a decision for processes marked with the blue icon.
The installation overview (Software > Java > Java Installations) provides an overview of all identified Java installations.
Finally, the Java process overview (Software > Java > Java Processes) lists all java related processes for the devices in your network.
As usual, it is key to be prepared for software audits. With this new feature, you have the raw data for your Java risk assessment at hand and this makes it easier to respond to claims that Oracle might have.
Just a final disclaimer:
Note that JDisc Discovery does not provide any legal advice on whether an installation is licensable or not. We read a lot of documents, license agreements and talked to Java license specialists in order to make our checks as accurate as possible. As usual, when it comes to software license management, JDisc Discovery gets you the raw data for your assessments. You must draw your conclusions on your own based on the discovered data.
This feature gets released with the coming build (5011) this week and I hope you like it. As usual, we are looking forward to getting feedback on this feature…