When an Oracle Java audit opens, one of the first requests is usually that you run a discovery or measurement script across your estate and return the output. It is framed as routine, a simple way to see what is installed. It is not neutral. The script produces the raw material for Oracle's claim, and a buyer who runs it without understanding what it captures hands Oracle the inputs that size the bill. The right move is to understand exactly what any script does before it touches a single machine.
This article is part of the playbook in the Java Audit Survival Guide, the buyer side pillar on defending an Oracle Java audit end to end.
What the script is actually doing
An Oracle Java measurement script scans for Java installations across the machines it can reach. It records the vendor, the version, the install path, the update level, and often the date the binary appeared. It does not stop at Oracle Java SE. It will frequently report every Java runtime it finds, including free OpenJDK distributions that carry no Oracle license obligation at all. The output is a long list, and on its own that list looks alarming, because it makes no distinction between what you owe for and what you do not.
That lack of distinction is the problem. Oracle's claim runs on the assumption that any Java it can point to is Oracle Java SE under the Universal Subscription. A raw script output, handed over without analysis, lets that assumption stand. You have effectively agreed to the broadest reading of your own estate before any negotiation begins.
Why blind output inflates the claim
Since January 2023, Oracle Java SE has been sold as the Universal Subscription, priced on a per employee metric. The metric counts every full time and part time employee, every contractor, and every temporary worker, regardless of who actually uses Java. List pricing runs from 5.25 to 15.00 dollars per employee per month, stepping down through volume bands. The audit claim is roughly your counted population times the list rate times whatever discount Oracle offers, extended across a three year lookback.
Notice that the deployment list does not set the price. The population does. So why does Oracle want the script output so badly? Because a sprawling install list, especially one that shows Java on many machines, is used to argue that you need the subscription across the whole organisation. The script does not prove who must be counted, but in a blind handover it becomes the story that justifies counting everyone. The discipline of holding back unscoped data is covered in the data Oracle requests in a Java audit and what to withhold.
The five things to check before any script runs
If a script is going to run at all, it runs on your terms, on your timeline, and you see the output first. Before that happens, establish the following:
- What the script collects, field by field, and whether it reaches beyond Oracle Java SE into free distributions you do not owe for.
- Which machines it will touch and whether that set matches the contracting entity, not your whole global group.
- Whether it captures anything Oracle is not contractually entitled to request under the audit clause you actually signed.
- Who reviews the output before it leaves your organisation, and whether a single owner controls that channel.
- How the results separate Oracle Java SE from OpenJDK, so the list cannot be read as if every runtime is chargeable.
| What the script reports | How Oracle reads it | The buyer correction |
|---|---|---|
| Every Java install on every reachable machine | Evidence of broad Oracle Java SE use | Separate Oracle Java SE from free OpenJDK runtimes |
| Install dates going back years | Use across the full three year lookback | Match to dated removal and migration records |
| Machine count across the global estate | Justification to count the whole population | Bound to the contracting entity only |
| Version and update level | Proof a paid subscription is required | Confirm which versions actually need a paid update |
You are not obliged to run Oracle's tooling
A common misunderstanding is that a script request is a command. In most agreements it is not. Your obligations are defined by the audit clause in your contract, which typically entitles Oracle to reasonable information, not to run arbitrary tooling across your network or to receive an unfiltered export. You can usually meet a legitimate request with your own verified inventory, scoped to the contracting entity and reviewed before it leaves your hands. That keeps the measurement under your control while still answering what the contract genuinely requires.
Indicative worked example. A mid sized financial services firm was asked to run an Oracle measurement script across its full estate and return the raw output. Instead it scoped the request to the contracting entity, produced its own verified inventory, and separated Oracle Java SE from the free distribution running on most servers. The chargeable footprint that reached the table was a small fraction of what the blind script output would have implied. Figures are indicative.
Run your own inventory first
The buyer side move is to inventory your own estate before Oracle ever asks, using tooling you control, and to keep that record current. A clean internal inventory does three things. It tells you your real exposure before any conversation, so you negotiate from knowledge. It lets you answer a data request with a verified, scoped figure rather than a raw dump. And it separates Oracle Java SE from free distributions at the source, which is the single most valuable distinction in the whole audit. Holding your own evidence is also the foundation of refusing to volunteer the wrong thing, a discipline detailed in what you should never volunteer in a Java audit.
The bottom line
An Oracle Java audit script is not a fact finding favour. It is the collection step of a commercial claim, and run blindly it gathers the inputs Oracle uses against you. Understand exactly what any script captures, scope it to the contracting entity, separate Oracle Java SE from free distributions, and never let raw output leave your organisation unreviewed. Control the measurement and you control the ceiling of the claim.
Next step. Book a Strategy Call and we will review any script request before you respond and tell you exactly what to run, what to scope out, and what to hold back. Submit the form and ask to Book a Strategy Call. We work on a Fixed Fee from $18,000 or a Gainshare share of verified savings or avoided exposure, with zero retainer and no risk to you.