Looking at the Schema section of the README, we can see that both gems and rubies have an associated description attribute that says

[String] (required): One or more paragraphs describing the vulnerability. It may contain multiple paragraphs.

My question is, does this text follow some type of markdown/markup formatting? I've seen several advisories that indicate so (containing # Headers, [Some Links](URL), etc.), but I'm wondering if that's coincidental, or if it's always the case. If so, which "flavour" does it follow? And do any of the other string attributes contain markdown/markup as well?

Basically, I'm doing some bundler-audit automation to email the vulnerabilities found. I'd like to run the :description (and possibly other attributes) through some converter to properly format the email HTML.

description was not originally supposed to contain markdown, but markdown has gotten into it over the years, when copy/pasted from advisories. You could try to render description and then fallback to raw text on parse errors. Hope that helps.