Spring Petclinic Repo Audit Flags High-Severity EOL libsass Plugin, Exposing Security Patch Gap

A weekly security audit of the popular `tgrall-kleber/spring-petclinic` repository has flagged a high-severity risk: a deprecated, end-of-life (EOL) dependency that is no longer receiving security patches. The audit, dated March 27, 2026, identified the `libsass-maven-plugin` (version 0.3.4) as the primary concern. This artifact, which pulls in the underlying `libsass` library, is marked as EOL, meaning any discovered vulnerabilities in this component would remain unpatched, leaving the application exposed. The audit was conducted via static analysis of the project's `pom.xml` file, as a full OWASP dependency check could not be executed in the CI sandbox environment.

The audit scope focused on known CVE advisories and version histories against the project's dependency manifest. The high-severity finding for the libsass plugin is categorized as a 'Deprecated/EOL dependency receiving no security patches.' This creates a direct and persistent security liability. A separate medium-severity issue was also noted: a frontend library that is two major versions behind, representing over eight years of outdated code. Three informational notes regarding Java version recommendations and pinned dependencies were also logged.

The findings underscore a common but critical risk in software supply chain security: the silent persistence of abandoned dependencies. While the immediate exploit path is not specified, the absence of a security maintenance lifeline for a core build plugin represents a significant attack surface. The audit explicitly recommends a follow-up, full OWASP dependency-check scan to be run locally, as the automated CI environment was insufficient for a complete assessment. This case highlights the gap between basic static analysis and the deeper, actionable security posture required for production-ready applications.