There is probably no one "right" answer to this question. Your answer will likely depend on your organization's tolerance for risk and any policies that you might have defining when a vulnerability must be fixed. These types of policies are also dependent on your organization's risk tolerance (also known as risk posture).

If your organization, for instance, is somewhat risk averse (meaning you want to reduce risk as much as possible) you may choose to remediate every one of the flaws or choose to fix the critical and high vulnerabilities leaving the medium and low level vulnerabilities alone because the application is scheduled to be decommissioned relatively soon. This is probably the path that I would take. I'd likely choose to remediate the critical vulnerability because the application is scheduled to be decommissioned in a year. If the application was going to be decommissioned in 3 months, it might change my mind but a year is a long time to live with a critical web application vulnerability even if it will likely be difficult to fix. Fixing the high vulnerabilities that are easy to fix is a no-brainer. Fixing the medium and low vulnerabilities will likely come down to a discussion about just how much effort it will take to fix them vs. exactly how bad the vulnerabilities are.

In any case, if you choose to accept the risk of any vulnerability due to an application being decommissioned, you will likely need to create a management exception detailing exactly why the risk did not rise to the level that it needed to be fixed in accordance with your organization's typically vulnerability remediation schedule.