Ubuntu ESM packages in Grype

A vunnel question: We pull in the Ubuntu feed and don’t present ESM updates (those behind Ubuntu Pro subscriptions).
I was led to believe the data isn’t in the Ubuntu feed. But unless I am mistaken, it is.
I just ran vunnel run ubuntu and in /data/ubuntu/input/ubuntu-cve-tracker/active an example CVE (CVE-2021-3610 in imagemagick) which is one fixed in Jammy (Ubuntu 22.04) has indeed got an entry for the update in ESM.

Am I doing something wrong, or we we not ingesting this data correctly? Or something else?

$ pwd
/Users/alan/Work/Anchore/vunnel/data/ubuntu/input/ubuntu-cve-tracker/active

$ grep esm CVE-2021-3610
trusty/esm_imagemagick: not-affected (code not present)
esm-infra-legacy/trusty_imagemagick: not-affected (code not present)
esm-infra/xenial_imagemagick: not-affected (code not present)
esm-infra/bionic_imagemagick: not-affected (code not present)
esm-apps/focal_imagemagick: not-affected (code not present)
esm-apps/jammy_imagemagick: released (8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3+esm2)
esm-apps/noble_imagemagick: not-affected (8:6.9.11.60+dfsg-1.6ubuntu1)

To test, I made a docker container that uses Ubuntu 22.04, and only has apt install imagemagick .

FROM ubuntu:22.04

# Install ImageMagick packages
RUN apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y \
    imagemagick \
    imagemagick-6.q16 && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

# Set the entrypoint to the ImageMagick convert command
ENTRYPOINT ["/usr/bin/convert-im6.q16"]

Grype finds CVE-2021-3610 but has no suggestion for what fixes it, even though the feed does have the fix (8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3+esm2)

$ grype imagemagick-converter:latest --only-notfixed --by-cve --output text > ubuntu2204-imagemagick.txt
$ grep CVE-2021-3610 ubuntu2204-imagemagick.txt

NAME                         INSTALLED                            FIXED-IN  TYPE  VULNERABILITY   SEVERITY
imagemagick                  8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5            deb   CVE-2021-3610   Medium
imagemagick-6-common         8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5            deb   CVE-2021-3610   Medium
imagemagick-6.q16            8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5            deb   CVE-2021-3610   Medium
libmagickcore-6.q16-6        8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5            deb   CVE-2021-3610   Medium
libmagickcore-6.q16-6-extra  8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5            deb   CVE-2021-3610   Medium
libmagickwand-6.q16-6        8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5            deb   CVE-2021-3610   Medium