Thanks for helpful input. This matches my own observation.
Tool-chain used in project requires additionally license.manifest file on its input.
For some reason it also takes a look into files named Packages.
Actually it can be clear why it does this: Packages file specifies among others each package source code address/path.
Despite the question files named Packages generated for .ipk YES, for .rpm NO,
is it legitimate to use these files in external tool-chain for software composition analysis?
I mean these files might be Yocto internal interface not intended for purpose pointed out here. May this be true?