Sep 26, 2018 - 06:29 AM
Another approach might be via log analysis from security vendors such as LogRhythm and Qualys, or some of their other tools. They can certainly detect if a component is comprimised, it might be a small additional step to detect the right level of detail about Java?
Sep 27, 2018 - 07:14 PM
You can inventory the installation of the different (commercial) features of Java through a standard inventory scan on OS level. This will tell you if for example Java Flight Recorder, Java Development Kit or any other Java product is deployed. Certain functionalities (e.g. MSI installer, Auto Updates) can only be determined to be in use, through interviews with the appropriate business owners (e.g. those individuals that are responsible for the central roll out of desktop/laptop software within an organization.
Once all the raw deployment data is collected, the reconcilliation of the data needs to happen to map the found Java programs to the appropriate license. This since a large amount of Java programs are included in other licenses (e.g. Weblogic). From the remaining environmnets (which deloy a commercial Java feature which is not included in another Oracle. license) you need to determine if the use of such Java feature is for production/commercial purposes or if such use is for non-production purposes. This since the use of commercial features (not licensed through another Oracle license) is only required to be licensed seperately if and when such use is commercial or production use.
To conclude, the new announcement from Oracle in which they change their release cadence and as such will no longer provide public updates to Java version 8, is more a security question then a compliance question. End-users should determine if there is any specific security or regulation requirements which requires to have at all times the latest updates and security patches available for Java. If so, a subscription agreement or license agreement may be required. If not, then end-users can still continue to make use of Java without having the need to spend additional money with Oracle.
Hope this helps.