DL3002 return false positive for nonroot user

[EyalCMX]

• This is a bug report

Expected behavior

should not return DL3002

Actual behavior

return DL3002

Steps to reproduce the behavior

FROM openjdk:11-jre-slim
USER root

WORKDIR /

RUN mkdir -p /src/main/resources/tmp && \
    chown -R nonroot:nonroot /src/main/resources/tmp

USER nonroot
ENTRYPOINT  ["/bin/sh", "-c", "./run.sh"]

run hadolint on the dockerfile

[ArtAhmetaj]

I wanted to work on this.

I checked with the latest version of hadolint and DL3002, is not showing?
You can also verify with the web version.

[EyalCMX]

we are using
hadolint/hadolint:latest-debian

when i try to use latest:

docker run --rm -i hadolint/hadolint < Dockerfile
Unable to find image 'hadolint/hadolint:latest' locally
latest: Pulling from hadolint/hadolint
db4123164570: Pull complete
Digest: sha256:fff226bdf9ebcc08db47fb90ee144dd770120b35c2b1cbbb46e932a650cfe232
Status: Downloaded newer image for hadolint/hadolint:latest
-:5 DL3002 warning: Last USER should not be root

[spuxx1701]

We're running into the same issue, for example on this Dockerfile:

FROM [redacted] AS build
WORKDIR /app
COPY ./ ./
USER root
RUN npm ci && npm run build && npm prune --omit=dev

FROM [redacted]
HEALTHCHECK CMD /bin/true
USER root
COPY --from=build /app/dist /app
COPY --from=build /app/node_modules /app/node_modules

EXPOSE 8080
USER 1000
CMD ["/app/src/main.js"]