Support optional code attribute in occurrences and callstack.frames evidence

[prabhu]

Including the code snippet in the SBoM can help users without access to the application source code understand the evidence better.

We currently support the value attribute in identity.methods. The new attribute could be called code to make it explicit. We could recommend that the generator tools escape/encode the value before setting this attribute to prevent injection or scripting attacks. We could also suggest the tools include the code attribute only when explicitly requested by the user or service with an argument.